cisco 2015 annual security report | section name...cisco 2015 annual security report | executive...

1Cisco 2015 Annual Security Report | Section Name

2Cisco 2015 Annual Security Report | Executive Summary

Executive SummaryAs dynamic as the modern threat landscape is, there are some constants.

Four discussion areas of the Cisco 2015 Annual Security Report:

1. Threat Intelligence

2. Cisco Security Capabilities Benchmark Study

3. Geopolitical and Industry Trends

4. Changing the View Toward Cybersecurity—From Users to the Corporate Boardroom

Adversaries are committed to continually re�ning or developing new techniques that can evade detection and hide malicious activity. Meanwhile, the defenders—namely, security teams—must constantly improve their approach to protecting the organization and users from these increasingly sophisticated campaigns.

Caught in the middle are the users. But now, it appears they not only are the targets, but also the complicit enablers of attacks.

The Cisco 2015 Annual Security Report, which presents the research, insights, and perspectives provided by Cisco® Security Research and other security experts within Cisco, explores the ongoing race between attackers and defenders, and how users are becoming ever-weaker links in the security chain.

Cybersecurity is a broad and complex topic that has a far-reaching impact on users, companies, governments, and other entities around the world. The Cisco 2015 Annual Security Report is divided into four areas of discussion. These sections, and the issues explored within them, may at �rst glance seem disparate, but closer examination reveals their interconnectedness:

3Cisco 2015 Annual Security Report | Executive Summary

1. Threat Intelligence This section provides an overview of the latest threat research from Cisco, including updates on exploit kits, spam, threats and vulnerabilities, and malvertising (malicious advertising) trends. Online criminals’ growing reliance on users to help launch their attacks is also examined. To produce their analysis of observed trends in 2014, Cisco Security Research utilized a global set of telemetry data. The threat intelligence provided in the report represents work conducted by top security experts across Cisco.

2. Security Capabilities Benchmark Study To gauge perceptions of security professionals on the state of security in their organizations, Cisco asked chief information security o�cers (CISOs) and security operations (SecOps) managers in nine countries and at organizations of di�erent sizes about their security resources and procedures. The study’s �ndings are exclusive to the Cisco 2015 Annual Security Report.

3. Geopolitical and Industry Trends In this section, Cisco security, geopolitical, and policy experts identify current and emerging geopolitical trends that organizations—particularly, multinational companies—should monitor. In focus: how cybercrime is �ourishing in areas of weak governance. Also covered are recent developments around the world related to the issues of data sovereignty, data localization, encryption, and data compatibility.

4. Changing the View Toward Cybersecurity—From Users to the Corporate Boardroom Cisco security experts suggest that it is time for organizations to start viewing their approach to cybersecurity di�erently if they want to achieve real-world security. Strategies include adopting more sophisticated security controls to help defend against threats before, during, and after an attack; making security a topic at the corporate boardroom level; and implementing the Cisco Security Manifesto, a set of security principles that can help organizations become more dynamic in their approach to security—and more adaptive and innovative than adversaries.

The interconnectedness of the security topics covered in the Cisco 2015 Annual Security Report comes down to this: Attackers have become more pro�cient at taking advantage of gaps in security to hide and conceal their malicious activity. Users—and security teams—are both part of the security problem. While many defenders believe their security processes are optimized—and their security tools are e�ective—in truth, their security readiness likely needs improvement. What happens in the geopolitical landscape, from legislation to security threats, can have a direct impact on business operations and how an organization addresses security. And taking into consideration all these factors, it has never been more critical for organizations of all sizes to understand that security is a people problem, that compromise is inevitable, and that the time to take a new approach to security is now.

4Cisco 2015 Annual Security Report | Key Discoveries

Attackers have become more pro�cient at taking advantage of gaps in security to hide and conceal malicious activity. ► In 2014, 1 percent of high-urgency common vulnerabilities and exposure (CVE) alerts were actively exploited. This means organizations must prioritize and patch that 1 percent of all vulnerabilities quickly. But even with leading security technology, excellence in process is required to address vulnerabilities.

► Since the Blackhole exploit kit was sidelined in 2013, no other exploit kit has been able to achieve similar heights of success. However, the top spot may not be as coveted by exploit kit authors as it once was.

► Java exploits have decreased by 34 percent, as Java security improves and adversaries move to embrace new attack vectors.

► Flash malware can now interact with JavaScript to help conceal malicious activity, making it much harder to detect and analyze.

► Spam volume increased 250 percent from January 2014 to November 2014.

► Snowshoe spam, which involves sending low volumes of spam from a large set of IP addresses to avoid detection, is an emerging threat.

Users and IT teams have become unwitting parts of the security problem.

► Online criminals rely on users to install malware or help exploit security gaps.

► Heartbleed, the dangerous security �aw, critically exposes OpenSSL. Yet 56 percent of all OpenSSL versions are older than 50 months and are therefore still vulnerable.

► Users’ careless behavior when using the Internet, combined with targeted campaigns by adversaries, places many industry verticals at higher risk of web malware exposure. In 2014, the pharmaceutical and chemical industry emerged as the number-one highest-risk vertical for web malware exposure, according to Cisco Security Research.

► Malware creators are using web browser add-ons as a medium for distributing malware and unwanted applications. This approach to malware distribution is proving successful for malicious actors because many users inherently trust add-ons or simply view them as benign.

The Cisco Security Capabilities Benchmark Study reveals disconnects in perceptions of security readiness. ► Fifty-nine percent of chief information security o�cers (CISOs) view their security processes as optimized, compared to 46 percent of security operations (SecOps) managers.

► About 75 percent of CISOs see their security tools as very or extremely e�ective, with about one-quarter perceiving security tools as only somewhat e�ective.

► Ninety-one percent of respondents from companies with sophisticated security strongly agree that company executives consider security a high priority.

► Less than 50 percent of respondents use standard tools such as patching and con�guration to help prevent security breaches.

► Larger, midsize organizations are more likely to have highly sophisticated security postures, compared to organizations of other sizes included in the study.

Key DiscoveriesFollowing are key discoveries presented in the Cisco 2015 Annual Security Report.

5Cisco 2015 Annual Security Report | Table of Contents

Table of ContentsExecutive Summary .......................................................... 2

Key Discoveries................................................................. 4

Attackers vs. Defenders: An Ongoing Race .................... 6

1. Threat Intelligence ........................................................ 7

Web Exploits: For Exploit Kit Authors, Holding the Top Spot May Not Mean You’re the Best ........................................... 7

Threats and Vulnerabilities: Java Declines as an Attack Vector .......... 8

Uncovering the Archaeology of Vulnerabilities: The Dangers of Outdated Software—and Why Patching Isn’t the Only Solution ......... 12

Industry Vertical Risk Report: Targeting by Adversaries and Users’ Careless Practices Are a Potent Combination for Companies in High-Risk Verticals ........................................................................ 13

Spam Update: Spammers Adopt the “Snowshoe” Strategy ............ 18

Malvertising from Browser Add-Ons: In�icting Slight Damage Per User to Collect Big Rewards .............................. 21

2. Cisco Security Capabilities Benchmark Study ......... 24

Cisco Security Capabilities: How Well Do Organizations Measure Up? ........................................ 24

3. Geopolitical and Industry Trends ............................... 38

Cybercrime Thriving in Areas of Weak Governance ......................... 38

The Conundrum of Data Sovereignty, Data Localization, and Encryption .................................................... 39

Data Privacy Compatibility ................................................................. 40

4. Changing the View Toward Cybersecurity— From Users to the Corporate Boardroom ...................... 42

Secure Access: Understanding Who Is on Your Network, When, and How ......................................................... 42

The Future of Cybersecurity Hinges on Boardroom Engagement Today ........................................................ 44

Cisco Security Manifesto: Basic Principles for Achieving Real-World Security ......................................................... 45

About Cisco ..................................................................... 46

Appendix ......................................................................... 47

Endnotes ........................................................................................... 52

6Cisco 2015 Annual Security Report | Attackers vs. Defenders: An Ongoing Race

Attackers vs. Defenders: An Ongoing RaceSecurity professionals and online criminals are in an ongoing race to see which side can outwit the other. On the security side, organizations appear to have upped their game by adopting more sophisticated tools for preventing attacks and reducing their impact. They’ve recognized the business necessity of a strong security posture—and express con�dence that their security processes are optimized. Technology vendors are also more attentive toward �nding and �xing vulnerabilities in their products, giving criminals fewer opportunities to launch exploits.

But at the same time, adversaries are becoming more sophisticated not only in their approaches to launching attacks, but also in evading detection:

► They change their tactics and tools from moment to moment, disappearing from a network before they can be stopped, or quickly choosing a di�erent method to gain entry.

► They devise spam campaigns using hundreds of IP addresses in an attempt to bypass IP-based anti-spam reputation products.

► They design malware that relies on tools that users trust, or view as benign, to persistently infect and hide in plain sight on their machines.

► They �nd new vulnerabilities to exploit if vendors shut down weaknesses in other products.

► They work at establishing a hidden presence or blend in with the targeted organization, sometimes taking weeks or months to establish multiple footholds in infrastructure and user databases. Only when they are ready will they execute their core mission.

According to the new Cisco Security Capabilities Benchmark Study (see page 24), security professionals say they’re optimistic that they’re well prepared to hold back online attackers. Yet adversaries continue to steal information, make money through scams, or disrupt networks for political goals. In the end, security is a numbers game: Even if an organization blocks 99.99 percent of billions of spam messages, some will make it through. There is no way to ensure 100 percent e�ectiveness.

When these messages or exploits manage to reach users, it is the users themselves who become the weak point in the

network. Since enterprises have become more adept at using solutions that block network breaches, malware, and spam, malicious actors may instead exploit users through tactics such as sending them a fake request for a password reset.

With users becoming ever-weaker links in the security chain, enterprises have choices to make when implementing security technologies and policies: As developers try to make applications and software more intuitive and easy to use, do organizations open new loopholes for cybercriminals to exploit? Do enterprises bypass users, assuming they cannot be trusted or taught, and install stricter security controls that impede how users do their jobs? Do they take the time to educate users on why security controls are in place, and clearly explain how users play a vital role in helping the organization achieve dynamic security that supports the business?

As the principles outlined in the Cisco Security Manifesto on page 45 suggest, it is the latter. Technology solutions rarely empower users to take charge of security as active participants. Instead, they force them to work around security tools that get in the way of their workday—thus leaving the business less secure. Security is no longer a question of if a network will be compromised. Every network will, at some point, be compromised. What will an organization do then? And if security sta� knew the network was going to be compromised, would it approach security di�erently?

The Cisco 2015 Annual Security Report presents the latest research from its Cisco Security Research group. The team examines security industry advances designed to help organizations and users defend against attacks, and the techniques and strategies employed by adversaries hoping to break through those defenses. The report also highlights key �ndings from the Cisco Security Capabilities Benchmark Study, which examines the security posture of enterprises and their perceptions of their preparedness to defend against attacks. Geopolitical trends, global developments around data localization, the value of more sophisticated secure access controls, segmentation based on role-based access, and the importance of making cybersecurity a boardroom topic are also discussed.

VS.

7Cisco 2015 Annual Security Report | 1. Threat Intelligence

In the business world, companies strive to be known as industry leaders. But for exploit kit authors operating in the so-called “shadow economy,” maintaining fourth or �fth position among leading exploit kits may be an even more telling sign of success, according to Cisco Security Research.

As reported in the Cisco 2014 Midyear Security Report, there has been no clear leader among exploit kits since late 2013.1 That’s when authorities sidelined the widely used, well-maintained, and highly e�ective Blackhole exploit kit after arresting its alleged creator and distributor, known as “Paunch.” Cisco Security Research suggests that a key reason no dominant exploit kit exists—yet—is simply because no other kit has emerged as a true technological leader among contenders. Another trend observed: Since takedown of Paunch and Blackhole, more exploit kit users appear to be taking care to invest in kits known to be technically sophisticated in terms of their ability to evade detection.

Throughout 2014, Angler, Sweet Orange, and Goon were the exploit kits observed most often “in the wild,” according to Cisco security experts. Among all exploit kits, Angler was detected in the �eld most frequently during 2014, and for reasons that are unclear, was especially prevalent in late August. Cisco Security Research attributes Angler’s popularity to the decision by its author(s) to eliminate the requirement of downloading a Windows executable to deliver malware.

Angler’s use of Flash, Java, Microsoft Internet Explorer (IE), and even Silverlight vulnerabilities makes this exploit kit the “one to watch,” say Cisco researchers. Once the exploit is triggered, the malware payload is written directly into memory in a process such as iexplore.exe, instead of being written to a disk. The payload delivered by Angler looks like a blob of encrypted data, which makes it harder to identify and block.

The Sweet Orange exploit kit is also very dynamic; its components, ports, and payload URLs change constantly so that Sweet Orange can remain e�ective and avoid detection. This positions Sweet Orange as the “most likely to succeed” among exploit kits, according to Cisco Security Research. Sweet Orange distributes a range of malware to unpatched end-user systems, and includes exploits for vulnerabilities in Adobe Flash Player, IE, and Java. Adversaries who use Sweet Orange often rely on malvertising to redirect users to websites—including legitimate sites—that host the exploit kit. Users are usually redirected at least twice in the process. Compromised websites running outdated versions of content management systems (CMS) such as WordPress and Joomla are other locations known to be ripe for hosting the Sweet Orange exploit kit.2

As for the Goon exploit kit, Cisco Security Research points to its reputation for reliability as the likely reason for its modest but consistent popularity in 2014; it also has earned the distinction of being “the most organized” compared to other exploit kits. Originally discovered by security researchers in 2013, Goon—known also as the “Goon/In�nity exploit kit”—is a malware distribution framework that generates exploits for browser vulnerabilities pertaining to Flash, Java, or Silverlight components on Windows and Mac platforms.3

To learn more about Angler, and how malvertising (malicious advertising) is used as a primary avenue for delivering the exploit kit to users, see the Cisco Security blog post, “Angling for Silverlight Exploits.”

1. Threat IntelligenceCisco Security Research has assembled and analyzed security insights in this report based on a global set of telemetry data. Cisco security experts perform ongoing research and analysis of discovered threats, such as malware tra�c, which can provide insights on possible future criminal behavior and aid in the detection of threats.

Web Exploits: For Exploit Kit Authors, Holding the Top Spot May Not Mean You’re the Best

http://blogs.cisco.com/security/angling-for-silverlight-exploits


While the overall number of exploit kits detected in the �eld had dropped by 87 percent in the months following the demise of the Blackhole exploit kit, the number of kits detected by Cisco Security Research increased over the summer of 2014 (see Figure 1). In the last two weeks of August, they observed a signi�cant spike in the number of detections in the �eld of the Angler exploit kit. However, by November, the overall number of detections of known exploit kits had once again declined, with Angler and Goon/In�nity still showing up most frequently. The overall average decline in the number of exploit kits detected between May and November 2014 is 88 percent.

Threats and Vulnerabilities: Java Declines as an Attack VectorIn recent years, Java has played an unwanted starring role in lists of the most prevalent and severe vulnerabilities to exploit. However, Java appears to be falling out of favor among adversaries searching for the fastest, easiest, and

least detectable ways to launch exploits using software vulnerabilities, according to Cisco Security Research.

Of the top 25 vendor- and product-related vulnerability alerts from January 1, 2014, to November 30, 2014, only one was Java-related (see Table 1’s Common Vulnerability Scoring System [CVSS] chart on page 10). In 2013, Cisco Security Research tracked 54 urgent new Java vulnerabilities; in 2014, the number of tracked Java vulnerabilities fell to just 19. This should not detract online criminals from the popularity and e�ectiveness of attacking these older vulnerabilities that persist today.

Data from the National Vulnerability Database (NVD) shows a similar decline: NVD reported 309 Java vulnerabilities in 2013 and 253 new Java vulnerabilities in 2014. (Cisco Security Research tracks signi�cant vulnerabilities that score high on the CVSS scale, hence the lower number, while the NVD includes all reported vulnerabilities.) Figure 2 outlines top vulnerability exploits by vendor and product in 2014.

Jan. 2014 Nov. 2014Exploit Kits: Unique Hits by Month

Source: Cisco Security Research

88% Overall average declinein exploit kits detected in 2014

Read the Cisco Security blog post, “Fiesta Exploit Pack Is No Party for Drive-By Victims,” to �nd out how companies can defend against the Fiesta exploit kit. This kit delivers malware through attack vectors such as Silverlight and uses dynamic DNS domains (DDNS) as exploit landing pages.

For details on the Nuclear exploit kit, and its ability to assess a user’s system to determine vulnerabilities and deliver appropriate malware types, see the Cisco Security blog post, “Evolution of the Nuclear Exploit Kit.”

Figure 1. Exploit Kit Trends: Number of Unique Hits Detected from January to November 2014

Adobe FlashPlayer, Reader 5

Microsoft 8

Symantec 1 Oracle Java 1

PHP 1 OpenSSL 1

Mozilla 1 Linux Kernel 1 WordPress 2

Apache StrutsFramework 2 HP 3


Figure 2. Top Vendor and Product Vulnerability Exploits

Share the report

http://blogs.cisco.com/security/fiesta-exploit-pack-is-no-party-for-drive-by-victims

http://blogs.cisco.com/security/fiesta-exploit-pack-is-no-party-for-drive-by-victims

http://blogs.cisco.com/security/talos/evolution-nuclear-ek

http://blogs.cisco.com/security/talos/evolution-nuclear-ek

https://www.facebook.com/sharer/sharer.php?u=http://www.cisco.com/web/go/asr2015/index.html?POSITION=social%2bmedia%2bshare&COUNTRY_SITE=US&CAMPAIGN=2015%2bannual%2bsecurity%2breport&CREATIVE=Figure%2b1&REFERRING_SITE=Facebook

https://twitter.com/intent/tweet?url=http://cs.co/9006x5nQ&text=Get+the+Cisco+2015+Annual+Security+Report&hashtags=

https://www.linkedin.com/shareArticle?mini=true&url=http://www.cisco.com/web/go/asr2015/index.html?POSITION=social%2bmedia%2bshare&COUNTRY_SITE=US&CAMPAIGN=2015%2bannual%2bsecurity%2breport&CREATIVE=Figure%2b1&REFERRING_SITE=LinkedIn&title=Get%20the%20Cisco%202015%20Annual%20Security%20Report&summary=&source=

mailto:?Subject=Get%20the%20Cisco%202015%20Annual%20Security%20Report&Body=Learn%20More%20about%20the%20New%20Threat%20Intelligence%20and%20Trend%20Analysis%0A%0Ahttp://cs.co/9001x5kf


Exploits involving client-side vulnerabilities in Adobe Flash Player and Microsoft IE have taken the lead away from Java, along with exploits that target servers (for example, exploits involving vulnerabilities in Apache Struts Framework, the open-source web framework). The growing number of Apache Struts Framework exploits is an example of the trend toward criminals compromising online infrastructure as a way to expand their reach and ability during their attacks.

The Apache Struts Framework is a logical starting point for exploits due to its popularity.

Figure 3 highlights the most popular product categories that were exploited in 2014.

In 2014, applications and infrastructure were the most frequently exploited, according to Cisco Security Research data. Content management systems (CMS) are also preferred targets; adversaries rely on websites running outdated versions of CMS to facilitate exploit delivery

Cumulative Annual Alerts on a DeclineAnnual alert totals, the cumulative new and updated product vulnerabilities reported in 2014 and compiled by Cisco Security Research, appear to be on the decline (Figure 4). As of November 2014, total alerts fell below 2013 totals by 1.8 percent. The percentage may be small, but it is the �rst time in recent years that alerts have fallen in number compared to the previous year.

The most likely reason for the decline is the growing attention to software testing and development on the part of vendors. Improved development lifecycles appear to reduce the number of vulnerabilities that criminals can easily exploit.

Figure 4. Cumulative Annual Alert Totals

January December2013 20142012


Alerts

6756

537

Exploits

Infrastructure 41.9%

ICS-SCADA 11.6%

CMS 11.6%

Application 32.6%

TLS 2.3%


Figure 3. Top Product Categories Exploited

Share the report


https://twitter.com/intent/tweet?url=http://cs.co/9009x5nx&text=Get+the+Cisco+2015+Annual+Security+Report&hashtags=


mailto:?Subject=Get%20the%20Cisco%202015%20Annual%20Security%20Report&Body=Learn%20More%20about%20the%20New%20Threat%20Intelligence%20and%20Trend%20Analysis%0A%0Ahttp://cs.co/9004x5kC


The number of new alerts for 2013 and 2014 indicates that more new vulnerabilities continue to be reported than in previous years, meaning that vendors, developers, and security researchers are �nding, �xing, and reporting more new vulnerabilities in their products. As shown in Figure 5, the total number of new alerts and the annual total are even or slightly declining in 2014 compared to 2013.

Table 1 illustrates some of the most commonly exploited vulnerabilities, according to the Common Vulnerability Scoring System (CVSS). The U.S. National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD) provides a framework for communicating the characteristics and impacts of IT vulnerabilities and supports the CVSS. The “Urgency” score in the CVSS table indicates that these vulnerabilities are being actively exploited, which corresponds to the “Temporal” scores indicating active exploits. By scanning the list of products being exploited, enterprises can also determine which of these products are in use and therefore need to be monitored and patched.

Figure 6 depicts the vendors and products with the highest CVSS scores. Cisco indicates through the CVSS score that a proof-of-concept exploit code exists; however, the code is not known to be publicly available.

Alerts (Total)

New Alerts Updated Alerts


2012 2013 20142011

(6200)(6200)

(7400)

(5300)

Table 1. Most Commonly Exploited Vulnerabilities

IntelliShield ID Headline Urgency Credibility Severity


Base

Common Vulnerability Scoring System (CVSS)

Temporal

33695 OpenSSL TLS/DTLS Heartbeat Information Disclosure Vulnerability 5.0 5.0

35880GNU Bash Environment Variable Content ProcessingArbitrary Code Execution Vulnerability 10.0 7.4

36121 Drupal Core SQL Injection Vulnerability 7.5 6.2

32718 Adobe Flash Player Remote Code Execution Vulnerability 9.3 7.7

33961 Microsoft Internet Explorer Deleted Memory ObjectCode Execution Vulnerability 9.3 7.7

28462 Oracle Java SE Security Bypass Arbitrary CodeExecution Vulnerabilities 9.3 7.7

35879 GNU Bash Environment Variable Function De�nitions ProcessingArbitrary Code Execution Vulnerability 10.0 7.4

30128 Multiple Vendor Products Struts 2 Action: ParameterProcessing Command Injection Vulnerability 10.0 8.3

New Alerts vs. Updated Alerts

Figure 5. Comparison of New Alerts and Updated Alerts


Cisco (18)


CVSS ScoresCVSS ScoresCVSS ScoresCVSS Scores(count)

HP (13)

Apache (2)

Oracle Java (4)

Microsoft (13)

EMC (2)

Adobe (9)

Note: The vulnerabilities in Table 1 were those showing initial signs of exploit activity during the period observed. The majority of these vulnerabilities had not yet gone mainstream, meaning they had not made their way into exploit kits for sale. Share the report

Figure 6. Vendors and Products with the Highest CVSS Scores


https://twitter.com/intent/tweet?url=http://cs.co/9004x5n2&text=Get+the+Cisco+2015+Annual+Security+Report&hashtags=


mailto:?Subject=Get%20the%20Cisco%202015%20Annual%20Security%20Report&Body=Learn%20More%20about%20the%20New%20Threat%20Intelligence%20and%20Trend%20Analysis%0A%0Ahttp://cs.co/9005x5kh


Cisco Security Research suggests that the decline in Java exploits can be tied partly to the fact that there were no new zero-day Java exploits disclosed and available for adversaries to take advantage of in 2014. Modern versions of Java automatically patch, and older, more vulnerable versions of the Java Runtime Environment are being blocked by default by browser vendors. Apple is even taking the extra step of disabling old and vulnerable versions of Java and patching them through automatic updates. In addition, the U.S. Computer Emergency Readiness Team (US-CERT) has been recommending since January 2013 that computer users secure, disable, or remove Java.

The latest version of Java, Java 8, has stronger controls than previous releases. It is also harder to exploit because it now requires human interaction, like code signing and a user dialogue that asks the user to enable Java. Online criminals have discovered easier targets and have turned their attention

to non-Java vectors that deliver higher return on investment. For example, many users fail to update Adobe Flash and PDF readers or browsers regularly, providing criminals with a wider range of both old and new vulnerabilities to exploit. And as reported in the Cisco 2014 Midyear Security Report, the number of exploit kits that include Microsoft Silverlight exploits is growing.4

Figure 7 shows that Java’s reign as the top attack vector has been on a steady downward trend for more than a year. The use of Flash to launch exploits has been somewhat erratic, with the biggest spike occurring in January 2014. PDF use has been constant, as many malicious actors appear to remain focused on launching highly targeted campaigns through email using PDF attachments. Silverlight attacks, while still very low in number compared to more established vectors, are on the rise—especially since August.

Dec. 2012 Jan. 2014 Sep. 2014

Log Volume

Silverlight 228% PDF 7% Flash 3%Java 34%

Silverlight

PDF

Flash

Java


Figure 7. Comparison of Volume Trends by Attack Vector

Flash and JavaScript: Better Together?

In 2014, Cisco Security Research observed growth in the use of Flash malware that interacts with JavaScript. The exploit is shared between two di�erent �les—one Flash, one JavaScript. Sharing exploits over two di�erent �les and formats makes it more di�cult for security devices to identify and block the exploit, and to analyze it with reverse engineering tools. This approach also helps adversaries to be more e�cient and e�ective in their attacks. For example, if the �rst stage of an attack is entirely in JavaScript, then the second stage, the payload transmission, would not occur until after the JavaScript executes successfully. This way, only users who can run the malicious �le receive the payload.

Analysis: Likely Factors for Adversaries Abandoning Java Exploits

Share the report


https://twitter.com/intent/tweet?url=http://cs.co/9000x5nC&text=Get+the+Cisco+2015+Annual+Security+Report&hashtags=


mailto:?Subject=Get%20the%20Cisco%202015%20Annual%20Security%20Report&Body=Learn%20More%20about%20the%20New%20Threat%20Intelligence%20and%20Trend%20Analysis%0A%0Ahttp://cs.co/9000x5ZE


As explained in the discussion about vulnerabilities (see page 8), adversaries take the easiest path available when determining how and where their exploits will succeed. They choose products that present more attack surface opportunities; those opportunities are generally created by the use of unpatched or outdated software. For example, appliance patching remains a challenge since there are many systems still vulnerable to the SSL Poodle attack.5 Based on observed trends, Cisco Security Research suggests that the proliferation of outdated versions of exploitable software will continue to lead to security issues of great magnitude.

Cisco Security Research used scanning engines to examine devices connected to the Internet and using OpenSSL. The team determined that 56 percent of devices surveyed used versions of OpenSSL that were more than 50 months old. This means that despite the publicity given to Heartbleed,6 the security �aw in the handling of Transport Layer Security (TLS) discovered in 2014, and the urgent need to upgrade to the latest version of OpenSSL software to avoid such vulnerabilities, organizations are failing to ensure that they are running the latest versions. Figure 8 shows the age of OpenSSL versions.


56%

56% of devices indexed use versionsof OpenSSL more than 50 months old

Figure 8. OpenSSL Version Age

Uncovering the Archaeology of Vulnerabilities: The Dangers of Outdated Software—and Why Patching Isn’t the Only Solution

Share the report


https://twitter.com/intent/tweet?url=http://cs.co/9002x5X6&text=Get+the+Cisco+2015+Annual+Security+Report&hashtags=


mailto:?Subject=Get%20the%20Cisco%202015%20Annual%20Security%20Report&Body=Learn%20More%20about%20the%20New%20Threat%20Intelligence%20and%20Trend%20Analysis%0A%0Ahttp://cs.co/9001x5Z1


Greater use of automatic updating may be one solution to the outdated software problem. Cisco Security Research examined data from devices that were connected online and using either the Chrome or IE browser. The data showed that 64 percent of Chrome requests originate from the latest version of that browser. As for IE users, just 10 percent of requests originated from the latest version.

Cisco Security Research suggests that the Chrome automated update system may be more successful in ensuring that as many users as possible have the most recent software version. (Also, it’s possible that Chrome users are more technically pro�cient than IE users and thus, are more likely to update their browsers and install updates.)

When combined with the downturn in Java vulnerabilities and exploitation, the research clearly indicates that software that automatically installs its own updates seems to have an advantage in creating a safer security framework. To overcome the guaranteed eventual compromise that results from manual update processes, it may be time for organizations to accept the occasional failure and incompatibility that automatic updates represent.

Industry Vertical Risk Report: Targeting by Adversaries and Users’ Careless Practices Are a Potent Combination for Companies in High-Risk VerticalsThe pharmaceutical and chemical industry has emerged as the number-one high-risk vertical for web malware encounters in 2014. For the �rst half of the year, media and publishing held the top spot, but had edged down to second place by November. Rounding out the top �ve are manufacturing, transportation and shipping, and aviation, respectively. All of these verticals placed in the top �ve for the �rst half of 2014.

While the retail vertical might be expected to have a higher ranking on this list given recent high-pro�le attacks that have plagued the industry, it is malicious encounters, and not actual breaches, that are used to create the rankings.

To determine sector-speci�c malware encounter rates, Cisco Security Research compares the median encounter rate for all organizations that use Cisco Cloud Web Security to the median encounter rate for all companies in a speci�c sector that are using the service (Figure 9). An industry encounter magnitude above 1 re�ects a higher than normal risk of web malware encounters, whereas a magnitude below 1 re�ects a lower risk. For example, a company with a 1.7 encounter magnitude is at a 70 percent increased risk than the median. Conversely, a company with a 0.7 encounter magnitude is 30 percent below the median risk of encounter.

Encounter vs. Compromise

An “encounter” is an instance when malware is blocked. Unlike a “compromise,” a user is not infected during an encounter because a binary is not downloaded.

Possible Solutions: Automatic Updates and Patching


Figure 9. Vertical Risk of Web Malware Encounters, All Regions, January 1 – November 15, 2014


Pharmaceutical and Chemical 4.78

3.89Media and Publishing

2.53Manufacturing

2.08

2.01

and ShippingTransportation

Aviation

Top 10 (1-5)

Food and Beverage 1.68

1.63Legal

1.51Agriculture and Mining

1.49

1.42

Insurance

Utilities

Top 10 (6-10)magnitude magnitude

Share the report

Cisco Security Research examined eight types of attack methods (Figure 10) to determine whether targeting by adversaries or how people use the web was the key factor for increasing an industry vertical’s risk for malware encounters. They found a perfect storm, with the combination of targeted attack methods and careless user behavior online both having an impact on the level of risk.

To determine whether there was in fact a di�erence between high- and low-risk vertical user behavior, Cisco Security Research looked at four types of non-targeted attack methods users often encounter when browsing the Internet: adware, clickfraud, scam, and iframe injections. The team also looked at four types of more advanced attack methods that adversaries often employ in targeted campaigns: exploit, Trojan, OI (detection malware), and downloader.

Note: The eight attack methods have been categorized by Cisco Security Research into heuristic buckets.


https://twitter.com/intent/tweet?url=http://cs.co/9003x5XB&text=Get+the+Cisco+2015+Annual+Security+Report&hashtags=


mailto:?Subject=Get%20the%20Cisco%202015%20Annual%20Security%20Report&Body=Learn%20More%20about%20the%20New%20Threat%20Intelligence%20and%20Trend%20Analysis%0A%0Ahttp://cs.co/9003x5ZH


Using the top and bottom four most malware-exposed verticals, according to Cisco Cloud Web Security data, Cisco Security Research then took the percentage of incidents for each type of attack method and created average rates for the top and bottom four verticals. The comparison shown in Figure 10 was derived by dividing the top average by the bottom average. A ratio of one indicates that the same patterns of activity are observed between the most- and least-targeted groups.

The data shows that the most high-risk industry verticals encounter sophisticated downloader attack methods at a frequency seven times higher than that of the bottom four high-risk industry verticals. This is consistent with what one would expect if targeted attack methods against the highest-risk verticals were taking place.

The rate of encounters with clickfraud and adware is also higher in the most-targeted and high-risk industry verticals compared to the less-targeted and lower-risk verticals. This suggests that the di�erence may be more complex than just targeting by malicious actors. User behavior may also be

implicated in the increased exposure to malware, possibly through di�erences in how users engage with the Internet and their browsing habits, and are therefore contributing to the higher frequency of web malware attack method encounters in high-risk industry verticals. Also, users in industries where the quick embrace of new media is encouraged and necessary for competition and innovation are likely encountering web malware attack methods at higher rates than users in other industries, such as government, where Internet use may be more limited and/or strictly controlled.

For example, Cisco Security Research suggests that because users in the media and publishing industry are typically heavy users of the Internet, they are at risk of encountering web exploits more often than users in other industry verticals.

Note: In 2014, the media and publishing industry experienced signi�cantly higher than normal rates of web malware encounters than previously observed by Cisco Security Research, which has been compiling this data since 2008. Users’ exposure to more widespread malvertising on legitimate websites could be a contributing factor to this increase.

Figure 10. Web Malware Attack Methods: Comparison of the Top Four and Bottom Four High-Risk Verticals


1 70

Downloader is 7x greater than the average ratioDownloader is 7x greater than the average ratioDownloader is 7x greater than the average ratioDownloader is 7x greater than the average ratio (1)AdwareExploit Trojan

iFrame Injection ClickfraudScamOI

Share the report


https://twitter.com/intent/tweet?url=http://cs.co/9000x5Xy&text=Get+the+Cisco+2015+Annual+Security+Report&hashtags=


mailto:?Subject=Get%20the%20Cisco%202015%20Annual%20Security%20Report&Body=Learn%20More%20about%20the%20New%20Threat%20Intelligence%20and%20Trend%20Analysis%0A%0Ahttp://cs.co/9004x5Zy


Figure 11. Highest-Risk Verticals for Malware Exposure across AMER, APJC, and EMEA

magnitude magnitude magnitude

2.8Media and Publishing

2.4Accounting

1.1

1.1

TelecommunicationsIT and

Utilities

AMER

2.0Food and Beverage

2.0Insurance

1.6

1.6

Manufacturing

Media and Publishing

EMEA

3.5Real Estate and Land Management

3.4Automotive

3.2

2.4

and ShippingTransportation

Manufacturing

APJC

Aviation 5.0 Agriculture and Mining 2.8 Insurance 6.0


Following is web malware encounter risk data for high-risk industry verticals according to region. The three regions are de�ned as follows:

► North America, Central America, and Latin America (AMER)

► Asia-Paci�c, China, Japan, and India (APJC)

► Africa, Europe, and the Middle East (EMEA)

Cisco Security Research identi�ed the highest-risk localized industry verticals (see industries listed in Figure 11) across the world and determined that:

► Users in the insurance industry in APJC are six times more likely to be exposed to malware compared to the 12 verticals examined in all three regions. (Baseline average: 1.5.)

► Users in the aviation industry in AMER are �ve times more likely to be exposed to malware.

► Users in the real estate and land management industry in APJC, and users in the automotive industry in that region, are both 3.5 times more likely to be exposed to malware.

► Users in the transportation and shipping industry in APJC are 3.25 times more likely to be exposed to malware.

Cisco Security Research cites skyrocketing land and housing prices, recent natural disasters, and heavy export and manufacturing activity in APJC as factors for adversaries targeting users in that region who work in or do business with the automotive, insurance, real estate and land management, and transportation and shipping industries. Theft of customer data, intellectual property (including targeting by nation states), and air freight data are likely top motivations for targeting users in the aviation industry in AMER.

Malware Encounters by Region

Share the report


https://twitter.com/intent/tweet?url=http://cs.co/9003x5Xz&text=Get+the+Cisco+2015+Annual+Security+Report&hashtags=


mailto:?Subject=Get%20the%20Cisco%202015%20Annual%20Security%20Report&Body=Learn%20More%20about%20the%20New%20Threat%20Intelligence%20and%20Trend%20Analysis%0A%0Ahttp://cs.co/9008x5ZM


Figures 12a through 12c reveal, by region, the techniques adversaries are using most often to distribute malware. The �ndings in these charts are based primarily on where blocks of web malware occurred (that is, encounters), according to Cisco Cloud Web Security data, versus types of threats on the web.

During the year 2014, users in AMER were targeted primarily by malicious scripts; iframe injections were a distant second. In APJC, adversaries have been relying heavily on scams, malicious scripts, and web-based exploits over the past year to compromise users in all verticals. And in EMEA, web-based exploits are especially prevalent.

Total %Attack Method

24.93%

17.43%iFrame Injection

13.63%Exploit

10.35%

10.06%

OI (detection malware)

Script

Trojan


Figure 12b. Attack Method Distribution, APJC



25.26%

25.04%Script

18.68%iFrame Injection

9.93%

6.72%


Scam

Exploit

Figure 12c. Attack Method Distribution, EMEA



51.48%

15.17%Script

8.64%Exploit

7.31%

4.16%

Scam

iFrame Injection


Read the Cisco Security blog post, “Threat Spotlight: Group 72,” to learn about the role of Cisco Security Research in helping to identify and disrupt the activities of a threat actor group targeting high-pro�le organizations with high-value intellectual property in the manufacturing, industrial, aerospace, defense, and media sectors.

For details on the Remote Administration Tool (RAT) that Group 72 used to conduct cyberespionage, view this post: “Threat Spotlight: Group 72, Opening the ZxShell.”

Figure 12a. Attack Method Distribution, AMER

Share the report

Attack Methods for Distributing Malware, by Region

http://blogs.cisco.com/security/talos/threat-spotlight-group-72

http://blogs.cisco.com/security/talos/threat-spotlight-group-72

http://blogs.cisco.com/security/talos/opening-zxshell

http://blogs.cisco.com/security/talos/opening-zxshell


https://twitter.com/intent/tweet?url=http://cs.co/9007x5XP&text=Get+the+Cisco+2015+Annual+Security+Report&hashtags=


mailto:?Subject=Get%20the%20Cisco%202015%20Annual%20Security%20Report&Body=Learn%20More%20about%20the%20New%20Threat%20Intelligence%20and%20Trend%20Analysis%0A%0Ahttp://cs.co/9001x5ZP


Phishing continues to prove its value to criminals as a tool for malware delivery and credential theft because users still fall prey to familiar spam tactics. Attackers have become aware that it is often easier to exploit users at the browser and email level, rather than compromising servers—which means spammers continue to innovate.

It is not uncommon to see an anti-spam system catch more than 99 percent of the spam passing through it. Most of the best anti-spam systems catch more than 99.9 percent of spam. In this environment, spammers try just about anything to evade spam �lters. To ensure that spam reaches its intended audience, spammers are increasingly using these tactics to avoid detection by IP-based anti-spam reputation technologies.

Enter snowshoe spam: The comparison is apt because snowshoes allow a person to walk over deep snow by distrib-uting their weight over a larger surface area, thus preventing the wearer’s foot from sinking. Snowshoe spam is unsolicited bulk email that is sent using a large number of IP addresses, and at a low message volume per IP address, thus preventing some spam systems from sinking the spam. Figure 13 highlights the rise in snowshoe spam from 2013 to 2014.

In a recent snowshoe spam campaign observed by Cisco Security Research, a blitz approach was used. This means the total spam campaign took place over just three hours, but at one point accounted for 10 percent of global spam tra�c (Figure 14).

The snowshoe messages examined by Cisco researchers show some standard hallmarks of spam. For example, they have misspelled subject lines such as “inovice 2921411.pdf,” and include a randomly generated number. Attachments were typically PDF �les containing a Trojan exploiting a vulnerability in Adobe Reader.

To mitigate snowshoe spam, security professionals cannot simply rely on solutions that are based on reputation, since the same messages in a campaign can originate from hundreds or even thousands of places in the case of botnet-derived campaigns. Examining other hallmarks of spam, such as email server hygiene, can provide more precise detection. In the campaigns observed by Cisco Security Research, for instance, many of the IP addresses lacked matching forward and reverse domain name systems (DNS), which is generally considered an obvious indicator that a mail server is not legitimate.

Many of these IP addresses also lacked records of sending emails prior to the start of the snowshoe campaign, further indicating that online criminals are using compromised machines to create an infrastructure for snowshoe spam.


FreemailSender

0.00%MarketingSender

1.00%Other

Sender

7.00%Snowshoe

Sender

8.00%6/1411/13


12:00:00-15:45:00Aug 15, 2014

To learn more about snowshoe spam, see the Cisco Security blog post, “Snowshoe Spam Attack Comes and Goes in a Flurry.”

Figure 14. Snowshoe Spam Campaign Incident

Figure 13. Spam from Snowshoe Senders on the Rise

Spam Update: Spammers Adopt the “Snowshoe” Strategy

Share the report

http://blogs.cisco.com/security/talos/snowshoe-flurry

http://blogs.cisco.com/security/talos/snowshoe-flurry


https://twitter.com/intent/tweet?url=http://cs.co/9008x5Xu&text=Get+the+Cisco+2015+Annual+Security+Report&hashtags=


mailto:?Subject=Get%20the%20Cisco%202015%20Annual%20Security%20Report&Body=Learn%20More%20about%20the%20New%20Threat%20Intelligence%20and%20Trend%20Analysis%0A%0Ahttp://cs.co/9002x5Zu


Worldwide spam volumes are on the rise, indicating that spam is still a lucrative vector for online criminals (Figure 16). Adversaries continue to re�ne messages so that spam is more likely to fool recipients into clicking on dangerous links, often using social engineering tactics.

While spam volume has generally been on the decline in the United States in 2014, levels rose in other countries during the same time period (Figure 15). Cisco Security Research suggests that this indicates some malicious actors may be shifting their base of operations. The rise in spam volume in some countries may also be a sign that other regions are

catching up to the United States in terms of spam production, as the country has long been a leading source of worldwide spam. Ultimately, the United States ended the year higher.

Spear-phishing messages, a staple of online criminals for years, have evolved to the point where even experienced end users have a hard time spotting faked messages among their authentic emails. These messages, which target speci�c individuals with a well-crafted message, appear to come from well-known vendors or service providers from whom users commonly receive messages—for example, delivery services, online shopping sites, and music and entertainment providers. Emails with a trusted name and a logo, even if spoofed, carry more weight than the old-school spam messages touting pharmaceuticals or watches. And if the messages have a call to action that is familiar to recipients, such as a notice about a recent order, or a delivery tracking number, users will be further enticed to click on links contained in the email.

Cisco Security Research recently observed a small number of spear-phishing messages purporting to originate from Apple Inc., claiming that the recipients had downloaded a popular game for mobile iOS devices. The email subject line included a randomly generated receipt number, another seemingly authentic touch, since legitimate emails would usually contain such a number. A link in the message suggested that recipients log in and change their passwords if they had not initiated the game download, and the link redirected the user to a known phishing website.


United States

Brazil

Taiwan0.00% (1% 11/14)

India

China25.00% (29% 11/14)

Russia3.00% (3% 11/14)

Vietnam

Korea, Republic of1.00%1.00% (1% 11/14)

2.00% (3% 11/14)

DecreaseIncrease

0.00%0.00%

Change in % from Jan. to Nov. 2014 Change in % from Jan. to Nov. 2014 Change in % from Jan. to Nov. 2014 Change in % from Jan. to Nov. 2014 Change in % from Jan. to Nov. 2014 Change in % from Jan. to Nov. 2014 Change in % from Jan. to Nov. 2014 Change in % from Jan. to Nov. 2014 (November %)

(2% 11/14) 1.00%1.00%1.00%1.00% (2% 11/14)

6.00% (20% 11/14)

Figure 15. Spam Volumes by Country

Figure 16. Worldwide Spam Volume Increase in 2014

Spammers Expand Tactics to Outwit Consumers

Jan

Feb

Mar

Apr

May Jun

Jul

Aug

Sep

Oct

Nov259 BN/Day

Worldwide spam volumes are on the rise

Source: Cisco Security Research Share the report


https://twitter.com/intent/tweet?url=http://cs.co/9002x5Xp&text=Get+the+Cisco+2015+Annual+Security+Report&hashtags=


mailto:?Subject=Get%20the%20Cisco%202015%20Annual%20Security%20Report&Body=Learn%20More%20about%20the%20New%20Threat%20Intelligence%20and%20Trend%20Analysis%0A%0Ahttp://cs.co/9003x5ZR


When spammers �nd a formula that succeeds—meaning they are able to convince users to click on links within spam, or purchase fake products—they will tweak messages so that their basic structure remains the same. But the messages are di�erent enough that they can evade spam �lters, at least for

a short time. In Table 2, Cisco researchers tallied the number of times during a sample period that the spammers attempted to change message content in order to evade ongoing mitigations. The table lists those threats that required Cisco Email Security Appliance (ESA) rule changes.

IntelliShield ID Headline Version Urgency Credibility Severity


24986 Threat Outbreak Alert: Fake FedEx Shipment Noti�cation 95

30527 Threat Outbreak Alert: Malicious Personal Pictures Attachment 81

36121 Threat Outbreak Alert: Fake Electronic Payment Canceled 80

23517 Threat Outbreak Alert: Fake Product Order Email Message 79

23517 Threat Outbreak Alert: Fake Invoice Statement Attachment 78

27077 Threat Outbreak Alert: Fake Money Transfer Noti�cation 78

26690 Threat Outbreak Alert: Fake Bank Payment Transfer Noti�cation 78

31819 Threat Outbreak Alert: Fake Fax Message Delivery Email 88

Table 2. Threat Outbreak Alerts: Most Persistent Spam and Phishing Threats

Spammers Morph Messages to Evade Detection

Share the report


https://twitter.com/intent/tweet?url=http://cs.co/9004x5Xn&text=Get+the+Cisco+2015+Annual+Security+Report&hashtags=


mailto:?Subject=Get%20the%20Cisco%202015%20Annual%20Security%20Report&Body=Learn%20More%20about%20the%20New%20Threat%20Intelligence%20and%20Trend%20Analysis%0A%0Ahttp://cs.co/9004x5Zr


Cisco Security Research recently conducted in-depth analysis of a web-based threat that uses malvertising (malicious advertising) from web browser add-ons as a medium for distributing malware and unwanted applications. The group discovered that the threat has strong characteristics that resemble the behavior of a botnet. Through the team’s research, which included the examination of the activity of more than 800,000 users at 70 companies from January 1 through November 30, 2014, Cisco Security Research measured the overall size of the threat and corroborated the intention and structure.

The analysis revealed that this family of browser add-ons is far more extensive than expected and that the malware creators are using a combination of highly sophisticated, professionally written code and a re�ned business model to keep their malware in pro�table operation for the long term. In other words, full control over the targeted host is not necessary for successful monetization. This leads to increased prevalence of malware deliberately engineered for lower impact on the a�ected host, and optimized for long-term monetization over a large a�ected population.

Compromised users are infected with these malicious browser add-ons through the installation of bundled software (software distributed with another software package or product) and usually without clear user consent. Applications such as PDF tools or video players downloaded from untrusted sources are installed knowingly by users believing they are legitimate.

The applications can be “bundled” with unwanted and malicious software. This approach of distributing malware follows a pay-per-install (PPI) monetization scheme, in which the publisher gets paid for every installation of software bundled in the original application.

Many users inherently trust add-ons or simply view them as benign, which is why this approach to malware distribution is proving successful for malicious actors. This method of distributing malware allows adversaries to decrease their reliance on other techniques, such as exploit kits, that may be more detectable. (See “Web Exploits: For Exploit Kit Authors, Holding the Top Spot May Not Mean You’re the Best,” page 7.)

Cisco Security Research observed that the web tra�c generated by this browser add-on family has speci�c characteristics, and can be identi�ed by two well-de�ned patterns. The query string usually contains encoded data, in which information such as the add-on name and the URL the user previously visited (including intranet links), is ex�ltrated.

During its analysis, Cisco Security Research found more than 4000 di�erent add-on names, including PassShow, Bettersurf, Bettermarkit, and associated SHAs (bee4b83970�a8346f0e791be92555702154348c14bd8 a1048abaf5b3ca049e35167317272539fa0dece3ac1a60 10c7a936be8cbf70c09e547e0973ef21718e5). Because more than one add-on name may be used per installation, the malware is very di�cult to track (Figure 17).

Software Bundles Add-OnAdd-On

Ex�ltrates Browsingand Other Information

Injects Ads intoVisited Web Pages

Contains AdditionalMalicious Software


Figure 17. Threat Activity and Infection Flow

Malvertising from Browser Add-Ons: In¢icting Slight Damage Per User to Collect Big Rewards

Share the report


https://twitter.com/intent/tweet?url=http://cs.co/9005x5XX&text=Get+the+Cisco+2015+Annual+Security+Report&hashtags=


mailto:?Subject=Get%20the%20Cisco%202015%20Annual%20Security%20Report&Body=Learn%20More%20about%20the%20New%20Threat%20Intelligence%20and%20Trend%20Analysis%0A%0Ahttp://cs.co/9009x5ZX


Malware Detects OS Types, Serves Up Appropriate Exploits

Cisco security researchers observed that the malicious add-ons they analyzed will display a certain type of advertising depending on the browser “fingerprint” of a user. Injected ads for Linux users were usually about online gaming sites. Users who had Microsoft IE installed were redirected to ads that lead to the download of seemingly legitimate software, which actually turns out to be malicious.

Based on analysis of 11 months of user activity at 70 companies, the number of users affected by this threat has been rising. In January, 711 users were affected, but in the second half of the year the number of affected users went above 1000, with a peak in September, of 1751 (Figure 18). One of the reasons for the significant spike in September and October could be the increase in online activity, with people back to work after summer vacations.

Through research, Cisco security experts learned that adversaries are employing several different servers to support their malware campaigns. This likely means that either one cybercriminal organization skilled at keeping its activities segmented is responsible for the threat, or one “technology provider” is selling its product to several groups. Regardless, whoever is responsible for distributing the malware appears to be attempting to create a botnet of substantial size.

Jan. 2014 Nov. 2014

A�ected Users Per MonthSource: Cisco Security Research

Max a�ectedCompanies70 Months11 All users886,646 1751

Figure 18. Number of Affected Users Per Month, Jan. through Nov. 2014

Share the report

Linux Microsoft IE



https://twitter.com/intent/tweet?url=http://cs.co/9008x5Xw&text=Get+the+Cisco+2015+Annual+Security+Report&hashtags=


mailto:?Subject=Get%20the%20Cisco%202015%20Annual%20Security%20Report&Body=Learn%20More%20about%20the%20New%20Threat%20Intelligence%20and%20Trend%20Analysis%0A%0Ahttp://cs.co/9001x5ZZ


Cisco Security Research also found more than 500 unique domains associated with this threat; 24 of them are ranked on Alexa below the top 1 million domains. Many are also relatively highly ranked domains (Figure 19). This means they are popular domains, yet very dangerous for users to visit due to the risk of compromise.

Some of the domains have been active for more than a year, but most have a much shorter lifecycle—only a few weeks, in many cases (Figure 19). All of the domains share one characteristic: They become popular very quickly.

pretool.net

optopti.net

tollbahsuburban.com

yardarmsweatermothy.com

unbentdilativecutpurse.com

mulctsamsaracorbel.com

couphomegame.com

coupvictory.com

couploss.com

couplose.com

10,000-1,000,000 >1,000,000<10,000


UniqueDomains568+ 24 Currently listed

on Alexa.com 10 Have High PopularityRankings Over Past 6 Months

June 2014

Alexa.com Tra�c Rank:

Nov. 2014

Tips for Prevention and Remediation

To avoid being compromised by the browser ad-don scheme, or to address an existing infection, users should apply the following tips:

► Download applications from trusted sources ► Unselect unwanted software in bundle installs ► Use threat analytics, sandboxing technologies, and web security technologies to help prevent and detect this type of threat

► Manually remove add-ons if possible; also, use antispyware tools to clean up unwanted programs

Figure 19. Popular Domains Used for Malvertising in the Browser Add-On Scheme, Rated on Alexa

Share the report


https://twitter.com/intent/tweet?url=http://cs.co/9002x5Xe&text=Get+the+Cisco+2015+Annual+Security+Report&hashtags=


mailto:?Subject=Get%20the%20Cisco%202015%20Annual%20Security%20Report&Body=Learn%20More%20about%20the%20New%20Threat%20Intelligence%20and%20Trend%20Analysis%0A%0Ahttp://cs.co/9004x5Zj

24Cisco 2015 Annual Security Report | 2. Cisco Security Capabilities Benchmark Study

Cisco Security Capabilities: How Well Do Organizations Measure Up?How do enterprise security professionals view their organiza-tions’ readiness to handle security breaches? The answer may depend on the role they play within an organization, and which industry they work in, according to the new Cisco Security Capabilities Benchmark Study.

Figure 20 shows the responses of professionals by industry and company size. Non-computer-related manufacturers and utility/energy respondents report the highest levels of security involvement and knowledge.

N (number of respondents) = 1738

Security Capabilities Benchmark Study Respondent Pro�le

14%15%9% 8% 7% 6% 6%

3% 2% 1%

7%

Financial GovernmentNon-Computer-Related

Manufacturing

Transportation ChemicalEngineering

Utilitiesand

Energy

Healthcare Tele-communications

Pharmaceutical Agriculture Mining Other

Areas of SecurityInvolvementSetting Overall

Vision & Strategy

83%

Researching &Evaluating Solutions

78%

Implementing &Managing Solutions

79%

Making FinalBrandRecommendations

21%

81%

De�ning Requirements76%

SecOps46%

CISO orEquivalent

54%

Approving Budgets66%

Enterprise(1000+ Employees)

52%Midmarket(250-999 Employees)

48%

Source: Cisco Security Capabilities Benchmark Study

2. Cisco Security Capabilities Benchmark StudyTo gauge perceptions of security professionals on the state of security in their organizations, Cisco asked chief information security o�cers (CISOs) and security operations (SecOps) managers in several countries and at organizations of di�erent sizes about their security resources and procedures. The Cisco Security Capabilities and Benchmark Study, completed in October 2014, o�ers insights on the sophistication level of security operations, and security practices currently in use.

Figure 20. Respondent Pro�les and Security Breach Readiness

Share the report




mailto:?Subject=Get%20the%20Cisco%202015%20Annual%20Security%20Report&Body=Learn%20More%20about%20the%20New%20Threat%20Intelligence%20and%20Trend%20Analysis%0A%0Ahttp://cs.co/9000x5Zi


The study surveyed CISOs and SecOps managers to learn about the resources their companies are devoting to cybersecurity; their security operations, policies, and procedures; and the sophistication level of their cybersecurity operations. The good news from the survey is that a majority of security professionals believe they have the tools and processes in place to maintain security e�ectively. However, CISOs are notably more optimistic than their SecOps colleagues about the state of their security. For example, 62 percent of CISOs said they strongly agree that security processes in their organization are clear and well understood, compared to only 48 percent of SecOps managers. CISOs also view their security processes in a more favorable light. Fifty-nine percent of those surveyed strongly agree that these processes are optimized, and that they now focus on process improvement, compared to 46 percent of SecOps managers.

Why the gap in con�dence levels? It’s likely due to the fact that CISOs are more removed from day-to-day security activities, whereas SecOps sta� are working closely to resolve both major and minor security incidents. A CISO of a very large organization might not realize that a thousand machines are infected by malware in a typical day, whereas the SecOps manager would have devoted much more time to mitigating the infection, hence his or her less optimistic outlook on organizational security.

In addition, CISOs may be setting policies, such as blocking access to social media, which give them the illusion of tighter, more impenetrable security defenses. However, by shutting down such channels completely, security teams may lack knowledge or experience of the threats that still exist just outside their networks.

Another gap in con�dence appeared when respondents were asked about their con�dence in their organizational security policies. Both CISOs and SecOps managers show high levels of con�dence in policies (see Figure 21); yet they have less con�dence in their abilities to scope and contain compromises (see Figure 28).

A similar gap appeared when respondents were asked about their security controls: Nearly all respondents said they had good security controls, but about one-quarter perceive their security tools to be only “somewhat” rather than “very” or “extremely” e�ective (see Figure 29).

Con�dence in security processes and practices also seems to vary by industry. CISOs and SecOps managers for utility/energy companies and telecommunications businesses seem to be the most con�dent, while government, �nancial services, pharmaceuticals, and healthcare organizations seem less con�dent. For instance, 62 percent of telecommunications and utility/energy security executives strongly agree that their security processes are optimized, compared to 50 percent of those working in �nancial services and 52 percent in government.

Utilities/energy and telecommunications security professionals seem to be the most sophisticated in their security practices, while government and �nancial services organizations seem less sophisticated. Utility and energy organizations tend to have well-documented processes and procedures for incident tracking. However, this does not necessarily mean they are more secure than organizations in other industries.Utilities/Energy and Telecommunications security professionals seem to be the most sophisticated in their security practices, while government and

�nancial services organizations seem less sophisticated. Utility and energy organizations tend to have well-documented process and procedures forincident tracking—although this does not necessarily mean they are more secure than organizations in other industries

Utilities/Energy & Telecommunications

% Strongly agree that security processes are optimized – now focus on process improvement:

54%90% of companies are con�dent about theirsecurity policies, processes, and procedures

However, 54% have had to manage publicscrutiny following a security breach

90%

FinancialGovernment

Few di�erences emerge between enterprise and midmarket organizations, indicating that number ofemployees alone has little to do with security sophistication.


62% 52% 50%

Figure 21. Key Findings by Industry and Job Title

Share the report


https://twitter.com/intent/tweet?url=http://cs.co/9000x5Xm&text=Get+the+Cisco+2015+Annual+Security+Report&hashtags=


mailto:?Subject=Get%20the%20Cisco%202015%20Annual%20Security%20Report&Body=Learn%20More%20about%20the%20New%20Threat%20Intelligence%20and%20Trend%20Analysis%0A%0Ahttp://cs.co/9004x5Zm


Mapping Sophistication Levels to Current Sample

Cisco explored several options for sample segmentation before selecting a �ve-segment solution based ona series of questions targeting security processes. The �ve-segment solution maps fairly closely to theCapability Maturity Model Integration (CMMI).

Optimizing HighLevel 5: Focus ison processimprovement

QuantitativelyManaged Upper-Middle

Level 4: Processesquantitativelymeasured andcontrolled

De�ned MiddleLevel 3: Processescharacterized forthe organization;often proactive

Repeatable Lower-MiddleLevel 2: Processescharacterized forprojects; oftenreactive

InitialLevel 1: Processesare ad hoc,unpredictable

Low


The Cisco Security Capabilities Benchmark Study also highlighted the hallmarks of organizations that are more sophisticated in their security posture than others. These hallmarks include:

► Executive leadership that prioritizes security

► Clear, well-documented policies and procedures

► Integrated tools that work together

Ninety-one percent of respondents from sophisticated companies strongly agree that company executives consider security a high priority, while only 22 percent of respondents from the least-sophisticated companies agree with this statement. In addition, 88 percent of respondents from sophisticated companies strongly agree that security processes are clear and understood, compared to 0 percent of respondents from the least-sophisticated companies.

Figure 22. Mapping Sophistication Levels to Current Sample

Share the report

Signs of Security Sophistication


https://twitter.com/intent/tweet?url=http://cs.co/9001x5XW&text=Get+the+Cisco+2015+Annual+Security+Report&hashtags=


mailto:?Subject=Get%20the%20Cisco%202015%20Annual%20Security%20Report&Body=Learn%20More%20about%20the%20New%20Threat%20Intelligence%20and%20Trend%20Analysis%0A%0Ahttp://cs.co/9001x5Zt


The high level of organizations with a security point person is encouraging: Without security leadership, process are less de�ned,communicated and enforced. It’s likely that recent high-pro�le security breaches have spurred on organizations to carve outa place for security management in their executive ranks.

Key Findings

% Strongly agree that:

Security processes are clear andwell understood

91% report having an executive with direct responsibility for securityThis is most often a CISO (29%) or CSO (24%).

91%

SecOps CISO or Equivalent

Security processes are optimized andnow focus on process improvement

CISOs (and equivalent) are more optimistic than SecOps managers about the state of security in theircompanies, perhaps because they’re further from day-to-day realities.

48%

46%

62%

59%


Figure 23. Key Findings on Security Leadership Within Organizations

Figure 23 shows that 91 percent of respondents report having an executive with direct responsibility for security, most often a CISO or a chief security o�cer (CSO). The high level of organizations with a security point person is encouraging: Without security leadership, processes are less de�ned, communicated, and enforced. It is likely that recent high-pro�le security breaches have spurred on organizations to carve out a place for security management in their executive ranks.

Seventy-eight percent of respondents from more sophisticated companies strongly agree that security technologies are well integrated to work e�ectively together, compared to 17 percent of respondents from the least-sophisticated companies.

The positive news for organizations hoping to boost the sophistication of their security processes is that assembling a large team of hard-to-�nd security talent isn’t necessarily a requirement. In the least-sophisticated organizations, the median number of security professionals is 32; in those with the highest levels of sophistication, the median number of security sta� is also 32. Therefore, employing more people does not seem to directly correlate to better management of security processes. A better approach to sta�ng security personnel would be to �nd an optimal ratio of security sta� to the number of overall employees in the company.


Less-sophisticated security organizations generally do not believe that executives consider security a high priority, nor do theybelieve that security processes are clear and well-understood

Key Findings:

% Strongly agree that

However, security sta� size does not predict sophistication

Security processes are clear and well understood

Security-sophisticated organizations are easily distinguished from less-sophisticated ones ...

Security-Sophisticated Less-Sophisticated

Security technologies are well integrated towork e�ectively together

Median number of security professionals inorganization represented in each of the �ve segments

88%

78%

0%

Company executives consider security a high priority 91% 22%

17%

Low Lower-Mid Middle Upper-Mid High

32 49 29 30 32


Figure 24. Key Findings on Security Prioritization

Figure 24 reveals that less-sophisticated security organizations generally do not believe that executives consider security a high priority, nor do they believe that security processes are clear and well understood.

In comparing the security sophistication level of organizations by country, there’s more good news: Highly sophisticated organizations are the majority in every segment. However, respondents in some countries appear to have a more positive view of their own security stance than the outside world does. Overly con�dent perceptions from respondents in some countries may be due in part to core social values of a culture, such as the need to present one’s self—and thus, one’s organization—in a positive light.

Beware of Overcon�dence

While CISOs and SecOps managers are showing con�dence in their security operations, they also indicate that they do not use standard tools that can help thwart security breaches. Less than 50 percent of respondents use the following tools:

► Identity administration or user provisioning ► Patching and con�guration ► Penetration testing ► Endpoint forensics ► Vulnerability scanning

Share the report


https://twitter.com/intent/tweet?url=http://cs.co/9003x5XU&text=Get+the+Cisco+2015+Annual+Security+Report&hashtags=


mailto:?Subject=Get%20the%20Cisco%202015%20Annual%20Security%20Report&Body=Learn%20More%20about%20the%20New%20Threat%20Intelligence%20and%20Trend%20Analysis%0A%0Ahttp://cs.co/9003x5Zv


Organization Security Resources

Organizations have an average of 123 professionals devoted to security. Government organizations are most likelyto outsource their security services.

Security Resource Snapshot

YES 91%

NO 9%

Does your organization have asecurity incident response team?

Number of Dedicated Security Professionals

24%

2%8% 9%

15% 18%

7%16%

1-9 10-19 20-29 30-39 40-49 50-99 100-199 200+

Average percentage of timespent on security-related tasks

63%

Government appears to outsource more security services than other industry groups.

Which security servicesare outsourced? Advice & Consulting

51%None/All internal21%

Monitoring42%

Audit41%

Incident Response35%

Remediation34%


Average number of professionalsdedicated to security

123

Figure 25. Number of Dedicated Security Professionals Within Organizations Organizations have an average of 123 professionals devoted to security. Government organizations are most likely to outsource their security services.


Thirteen percent of respondents say none of the security threat defenses used are administered through cloud-basedservices. This is especially true for those in the healthcare, �nancial services, and pharmaceutical industries.

Security Threat Defenses Used by Organizations

Network security, �rewalls/intrusion prevention

Web security

Email/messaging security

Data loss prevention

Encryption/privacy/data protection

Access control/authorization

Authentication

Mobility security

Secured wireless

Endpoint protection/anti-malware

Vulnerability scanning

VPN

Identity administration/user provisioning

Security Information and Event Management (SIEM)

Network forensics

Patching and con�guration

Penetration testing

DDoS defense

Endpoint forensics

SecOps CISO SecOps CISO57% 64%

56% 62%

53% 58%

55% 55% - -

52% 55% - -

55% 52%

54% 51%

48% 54%

47% 52%

45% 52%

44% 51%

49% 46%

43% 47%

39% 46%

41% 43%

38% 40%

39% 37%

35% 37%

29% 33%

-

-

-

-

-

-

-

-

-

-

30% 39%

33% 41%

33% 41%

24% 24%

24% 22%

24% 32%

22% 30%

24% 27%

24% 26%

25% 27%

16% 23%

20% 19%

Security Threat DefensesUsed by Organization

Defenses Administered ThroughCloud-Based Services

n=797 n=941 n=759 n=887

Security respondents who use security threat defenses; n=1646


Figure 27. Security Threat Defenses Used by OrganizationsVarious security threat defenses used by organizations in 2014.

About two-thirds of respondents say that their security technologies are up to date and frequently updated

A signi�cantly higher proportion of CISOs (70%) say their organization’s infrastructure is very up to date, compared with SecOps managers (57%).

How would you describe your security infrastructure? Base: n=1738

Telecommunications companies are most likely to say their security infrastructure is kept up to date.

Our security infrastructure is very up to date,and is constantly upgraded with the best technologies available.64%

We replace or upgrade our security technologies on a regular cadence,but aren't equipped with the latest-and-greatest tools33%

We replace or upgrade our security technologies only when old ones nolonger work or are obsolete, or when we identify completely new needs.3%


Figure 26. Security Technologies Used in OrganizationsAbout two-thirds of respondents say that their security technologies are up to date and frequently updated.

Share the report


https://twitter.com/intent/tweet?url=http://cs.co/9006x5Xs&text=Get+the+Cisco+2015+Annual+Security+Report&hashtags=


mailto:?Subject=Get%20the%20Cisco%202015%20Annual%20Security%20Report&Body=Learn%20More%20about%20the%20New%20Threat%20Intelligence%20and%20Trend%20Analysis%0A%0Ahttp://cs.co/9005x5Zx


We have tools in place to enable us to review and provide feedbackregarding the capabilities of our security practice 10% 41% 49% 4% 39% 57%

We can increase security controls on high-value assetsshould circumstances require 10% 43% 47% 3% 38% 59%

Our threat detection and blocking capabilities are kept up to date 9% 38% 53% 3% 36% 61%

Security is well integrated into our organization’s goals and business capabilities 10% 39% 51% 2% 34% 64%

More midmarket respondents strongly agree that they “review and improve security practices regularly,formally, and strategically over time” compared to enterprise respondents.

While organizations appear to have con dence in their organizational security policies, they show signi cantly less con dencein their abilities to scope and contain compromises

SecOps CISO

Disagree/Agree/Strongly Agree Disagree/Agree/Strongly Agree

Information assets are inventoried and clearly classi ed 11% 40% 49% 4% 38% 58%We do an excellent job of managing HR security 9% 45% 46% 4% 36% 60%Computer facilities within my organization are well protected 10% 39% 51% 4% 34% 62%

Technical security controls in systems and networks are well managed 6% 41% 53% 3% 31% 66%Access rights to networks, systems, applications, functions, and dataare appropriately controlled

8% 35% 57% 4% 32% 64%

We do a good job of building security into systems and applications 10% 38% 52% 4% 32% 64%We do a good job of building security into our procedures for acquiring,developing, and maintaining systems

9% 41% 50% 4% 35% 61%

Security Policies n=797n=1738 n=941

SecOps CISO


We review and improve our security practices regularly, formally,and strategically over time

7% 42% 51% 3% 36% 61%

We routinely and systematically investigate security incidents 11% 40% 49% 3% 37% 60%

We regularly review connection activity on the network to ensure that securitymeasures are working as intended

8% 39% 53% 4% 33% 63%

Our security technologies are well integrated to work e�ectively together 9% 40% 51% 3% 37% 60%

It is easy to determine the scope of a compromise, contain it, andremediate from exploits

15% 44% 41% 8% 42% 50%

Security Operationalization n=797n=1738 n=941


Figure 28. Con�dence Levels in Organizational Security Policies and Organizational Abilities to Contain CompromisesWhile organizations appear to have con�dence in their organizational security policies, they show signi�cantly less con�dence in their abilities to scope and contain compromises.

Organization Security Policies, Procedures and Operations

Con�dence levels in organizational security policies

Con�dence levels in organizational abilities to contain compromises


Security professionals in the transportation industry express less con�dence in their organization’s ability todetect and defend against known security threats.

While security professionals believe their organizations have good security controls, about a quarter of respondentsperceive their security tools to be only “somewhat” e�ective

SecOps CISO


We follow a standardized incident response practice such as RFC2350,ISO/IEC 27035:2011, or U.S. certi�cation

15% 42% 43% 6% 40% 54%

We have e�ective processes for interpreting and prioritizing incoming incidentreports and understanding them

11% 46% 43% 4% 39% 57%

We have good systems for verifying that security incidents actually occurred 11% 41% 48% 4% 36% 60%We have a good system for categorizing incident-related information 10% 43% 47% 4% 37% 59%

We do a good job of notifying and collaborating with stakeholdersabout security incidents

10% 46% 44% 3% 40% 57%

We have well-documented processes and procedures for incidentresponse and tracking

9% 40% 51% 4% 35% 61%

Cyber risk assessments are routinely incorporated into our overall riskassessment process

10% 37% 53% 4% 36% 60%

Security Controls n=797n=1738 n=941

Signi�cantly more utilities/energy respondents strongly agree with the statement “we have well-documentedprocesses and procedures for incident response and tracking” than professionals from most all other industries.

Enabling us to assess potential security risks

Enabling us to enforce security policies

SecOps CISO

Not at All or Not Very E�ective

Not at All or Not Very E�ective

Somewhat E�ective

Somewhat E�ective

ExtremelyE�ective

ExtremelyE�ective

Very E�ective

Very E�ective

Blocking against known security threats

Detecting network anomalies and dynamicallydefending against shifts in adaptive threats

Determining the scope of a compromise,containing it and remediating further exploits

E�ectiveness of Security Tools n=797

31%

31%

28%

30%

33%

44%

45%

46%

44%

44%

18%

19%

21%

20%

18%

22%

23%

21%

24%

27%

51%

55%

54%

53%

52%

25%

21%

24%

22%

20%

n=1738 n=941


Figure 29. Respondent Beliefs About Company Security Controls and Organizational Security ToolsWhile security professionals believe their organizations have good security controls, about a quarter of respondents perceive their security tools to be only somewhat e�ective.

Share the report


https://twitter.com/intent/tweet?url=http://cs.co/9009x5Xv&text=Get+the+Cisco+2015+Annual+Security+Report&hashtags=


mailto:?Subject=Get%20the%20Cisco%202015%20Annual%20Security%20Report&Body=Learn%20More%20about%20the%20New%20Threat%20Intelligence%20and%20Trend%20Analysis%0A%0Ahttp://cs.co/9006x5ZI


CISOs’ and SecOps’ responses are consistent, with the exception of stop communication of malicious software.

Security professionals are most likely to use rewall logs analyze compromises, even though these logs do not usuallycontain high-quality data or context for the information. For better analysis of compromises, security professionalsshould view IDS/IPS logs regularly

SecOps CISO

Firewall log 59% 62%

System log analysis 58% 60%

Malware or le regression analysis 51% 58%

Network �ow analysis 51% 54%

Registry analysis 48% 51%

Full packet capture analysis 44% 48%

Correlated event/log analysis 40% 44%

Memory forensics 39% 43%

Disk forensics 38% 41%

Indicators of Compromise (IOC) detection 38% 38%

External [or third-party] incident response/analysis teams 36% 38%

Processes to Analyze Compromised Systems n=797 n=941

SecOps CISO n=797 n=941

Processes to Eliminate Cause of Security Incidents

55% 60%Quarantine or remove malicious application

55% 56%Root cause analysis

51% 55%Stop communication of malicious software

51% 53%Additional monitoring

50% 51%Policy updates

47% 49%Stop communication of compromised application

46% 48%Long-term x development

43% 47%Re-image system to previous state

Government respondents tend to report using more processes for analyzing compromised systemsthan respondents from most other industries.


Figure 30. Processes Used to Analyze Compromised Systems and Eliminate Causes of Security IncidencesSecurity professionals are most likely to use �rewall logs to analyze compromises, even though these logs do not usually contain high-quality data or context for the information. For better analysis of compromises, security professionals should view IDS and IPS logs, proxy, host-based intrusion prevention systems (HIPS), application logs, and NetFlow regularly.

It is also surprising to see that “Correlated Event/Log Analysis” was lower on the list of tools used to analyze compromises. It may mean that the respondents are not correlating data or linking sources of data together, which can help provide more in-depth analysis of a security event.


Government agencies are signi�cantly more likely to have clearly de�ned noti�cation processes with moreconstituent groups than other industries.

More CISOs report implementing additional, post-incident controls than do security operations professionals

SecOps CISO

Implement additional or new detections and controls, based on identi�ed weaknesses post-incident 55% 65%

Patch and update applications deemed vulnerable 59% 60%

Restore from a pre-incident backup 53% 60%

Di�erential restoration 53% 58%

Gold image restoration 33% 36%

Processes to Restore A�ected Systems n=797 n=941

SecOps CISO n=797 n=941

Telecommunications and utilities/energy respondents say they utilize gold image restorationmore than other industries.


Groups Noti�ed in the Event of an Incident

Operations 44% 48%

Technology partners 42% 47%

Engineering 38% 37%

Human resources 37% 35%

Legal 37% 35%

All employees 38% 33%

Manufacturing 31% 36%

Business partners 31% 33%

Marketing 30% 31%

Public relations 30% 27%

External authorities 25% 20%

Figure 31. CISOs and SecOps Responses on Post-Incident ControlsMore CISOs report implementing additional, post-incident controls than do security operations professionals.

Figure 32. Who Is Noti�ed of Security IncidentsOperations sta� and technology partners are most likely to be noti�ed of security incidents through more formal processes.


Segment distribution varies by country, but more mature segments dominate in all

Segment Sizing

United States Brazil Germany Italy United Kingdom

Australia China India Japan

(Total Average)

(38%) (27%) (22%) (12%) (4%)High Upper-Mid Middle Low-Mid Low

24%

40%

14%

15%7%

30%

35%

19%

7%9%

36%

29%

32%

3%

54%

16%

20%

3%7%

41%

18%

25%

8%8%

38%

25%

13%

23%1%

43%

25%

57%

7%1%

44%

16%

27%

10%3%

34%

35%

24%

5%2%


Organization Security Sophistication Most companies �t more sophisticated security pro�les—this is true in all countries and industries

Segment SizingSegments re�ect increasing levels of sophisticationaround the priority of security and how thattranslates into processes and procedures 39%

23%

26%

8%

4%

High

Upper-Mid

Middle

Low-Mid

Low


Figure 33. Sophistication of Security ProcessesMost companies �t more sophisticated security pro�les. This is true in all countries (Figure 34) and across all industries (Figure 35).

Figure 34. Sophistication of Security Processes by Country

Share the report


https://twitter.com/intent/tweet?url=http://cs.co/9001x5Xx&text=Get+the+Cisco+2015+Annual+Security+Report&hashtags=




Nearly half of telecommunications and utilities/energy organizations are classied into the highly sophisticated security segment

Segment Sizing (Total Average)

ChemicalEngineering

FinancialServices

Government Healthcare Non-Computer-RelatedManufacturing

Pharmaceuticals Telecommunications Transportation Utilities/Energy

(39%) (27%) (24%) (13%) (4%)High Upper-Mid Middle Low-Mid Low

47%

25%

26%

1%1%

47%

22%

20%

6% 5%31%

32%

23%

9%5%

35%

25%

25%

13%2%

43%

28%

21%

5% 3%

43%

23%

26%

5% 3%

43%

21%

22%

5%9%

25%

35%

28%

9%3%

39%

20%

25%

11%5%


Figure 35. Sophistication of Security Processes by IndustryNearly half of telecommunications and utilities/energy organizations are classi�ed into the highly sophisticated security segment.


Very large organizations are expected to successfully manage security because they have access to the most resources: budget for buying the latest technology, and skilled sta� to manage it. Larger midsize enterprises (de�ned for the purposes of the study as having 500 to 999 employees) might be assumed to lag behind their larger counterparts (1000 or more employees) in terms of their readiness to respond to security incidents. However, according to the Cisco Security Capabilities Benchmark Study, larger midmarket enterprises appear to not only mirror enterprises in security readiness in many areas, but often rate even higher than large organizations, perhaps due to increased organization �exibility and greater agility.

In fact, according to the study, larger midsize organizations are more likely to have highly sophisticated security postures. As illustrated in Figure 36, signi�cantly more

large midsize organizations rate in the upper midlevel and high level of sophistication than do smaller midmarket organizations (250-499 employees) and enterprise organizations (1000 or more employees).

The mostly level playing �eld for midmarket enterprises is promising news, since midmarket companies are the engine of the recovering economy.

Key �ndings from the benchmark survey on midmarket enterprises and their security readiness:

► Ninety-two percent of midsize organizations have internal incidence response teams, as opposed to 93 percent of large enterprises.

► Ninety-four percent of midsize organizations have an executive directly accountable for security, as opposed to 92 percent of larger enterprises.

Large midsize organizations show a high level of sophistication in their security posture.

Segments re�ect increasing levels of sophistication around the priority of security within the organization and how that translatesinto processes and procedures.

At least 60 percent �t more security-sophisticated pro�les.

Signi�cantly more midsize organizations rate in the upper-mid and high levels than do small organizations and enterprises.

Midsize Organizations EnterprisesSmall Organizations

High Upper-Mid Middle Low-Mid Low

23%

37%5%

32%

3%23%

44%

4%

25%

4%23%

38%

11%

24%

4%


Midmarket Organizations Appear Well Positioned for Security Readiness

Figure 36. Large Midsize Organizations’ Sophistication Level in Security Posture

Share the report


https://twitter.com/intent/tweet?url=http://cs.co/9002x5XI&text=Get+the+Cisco+2015+Annual+Security+Report&hashtags=


mailto:?Subject=Get%20the%20Cisco%202015%20Annual%20Security%20Report&Body=Learn%20More%20about%20the%20New%20Threat%20Intelligence%20and%20Trend%20Analysis%0A%0Ahttp://cs.co/9009x5ZF

38Cisco 2015 Annual Security Report | 3. Geopolitical and Industry Trends

While CISOs and other security leaders may not always think to pay close attention to geopolitical dynamics, they should, especially if they work for a multinational organization. What happens in the geopolitical landscape can have a direct impact on global supply chains, and how the business manages customer and employee data in di�erent countries; it also can create more legal and regulatory costs, risk of trade secret theft, and physical and reputational risks.

Cybercrime is �ourishing around the world, especially in areas of weak governance. Eastern Europe, which has long been a hotbed of organized crime, is one example. In areas of weak governance, it is not unusual to �nd evidence of strong ties between government intelligence services and organized groups involved in cybercrime.

According to U.S. authorities, some recent high-pro�le attacks that targeted assets in the United States likely originated from such areas. Some of the attacks appeared not to be pro�t-oriented, but politically motivated campaigns or attempts to gather intelligence or in�ltrate infrastructure.7 This could be an indication that the campaigns were state-sponsored and/or orchestrated by sophisticated cybercrime organizations.

More governments are making a concerted e�ort to implement increased cyber-governance through legislation and regulation. China, for example, made “rule of law” the theme for the fourth plenum of the 18th Communist Party of China (CCP) Congress.8 Beijing has committed to rooting out corruption and enforcing laws in business and within government. This e�ort may strengthen law enforcement and international e�orts to track down cybercriminals and make it harder for them to hide.

Transnational Terrorist Groups Leveraging the Internet The emergence of transnational terrorist groups, such as the so-called Islamic State (also known as ISIS or ISIL), is another geopolitical trend to watch. While groups like ISIS do not appear to be engaged in any signi�cant cybercrime activity, they do rely heavily on the Internet—namely, social media—to recruit members. For now, it appears that leading transnational terrorist groups are making enough money through traditional fundraising activities such as extortion, human tra�cking, and oil. But as these organizations grow, they could turn to cybercrime as a way to fund their e�orts around the world. There is also the potential that budding terrorist organizations that do not have access to the same resources as more established groups may explore cybercrime as a fast path to growth.

See the Cisco blog post “Cupcakes and Cyberespionage,” to read about a suggested new approach for defending against cyberespionage.

3. Geopolitical and Industry TrendsCisco security, geopolitical, and policy experts identify current and emerging geopolitical trends that organizations, particularly multinational companies, should monitor. These same experts also examine recent and potential developments around the world related to the issues of data sovereignty, data localization, encryption, and data compatibility.

Cybercrime Thriving in Areas of Weak Governance

http://blogs.cisco.com/security/cupcakes-and-cyber-espionage

http://blogs.cisco.com/security/cupcakes-and-cyber-espionage


Edward Snowden’s allegations about U.S. government surveillance overreach, data sovereignty (the concept that data is subject to the jurisdiction of the country where it is located and not that of foreign governments or courts that may be seeking unilateral access to it), and data localization (a government mandate that data be stored in a certain place) have become hot-button issues.

Some countries are beginning to seek the ability to localize their data as a way to prevent foreign governments from gaining access to their citizens’ data. They are drafting requirements that data remain inside of their country, or be routed in certain ways, and that companies use domestically manufactured equipment.

Brazil, as an example, recently implemented a new law that “contains privacy requirements that broadly restrict [covered] companies from the sharing of users’ personal information, their communications, and certain online logging data.”9 Russia, meanwhile, recently amended its data protection and information legislation to require all data operators processing personal data of Russian citizens, including Internet data, to keep copies of such data on servers and databases within Russia; the law is slated to go into e�ect in 2015.10

A potential negative consequence of countries mandating data localization—creating legislation that is not interoperable—is that multinational companies could be subjected to con�icting legal requirements. An obligation to comply with the demands of one nation to produce, retain, or destroy data could violate the laws of another country.

Aside from potentially causing con�icting legal obligations, data localization requirements also have the potential to restrict the �ow of data across borders. This can create confusion, as well as signi�cant challenges in administering networks. There is a supply chain aspect here as well: More global supply chain operators are adopting cloud-based technology to connect all of their partners around the world. Data localization could hinder, or prevent data exchange in those business networks, and potentially hinder cross-border activities to police cybercrime activity.

Additionally, as some countries opt to use only homegrown technologies, or place signi�cant restrictions on who can handle their citizens’ data, there is the potential that they will cut themselves o� from the global talent pool and possibly risk a loss of innovation that comes from cross-pollination of new ideas.

Some leading technology companies in the United States are hoping that use of end-to-end encryption will be a way to satisfy their customers’ concerns that their data be protected as it traverses the borderless Internet. The U.S. government has raised concerns, however, that such encryption will prevent its ability to protect citizens. The new director of the GCHQ, Britain’s premier signals intelligence organization, similar to the U.S. National Security Agency, even suggested that U.S. social media technology giants are aiding the e�orts of terrorists by enabling them to send encrypted communications around the world.11

Despite these criticisms, technology companies are likely to continue to pursue the development and adoption of technological measures aimed at restoring customer trust until governments have adopted policies that more e�ectively re�ect the importance of enabling free speech and secure commerce while they protect against threats to public safety and national security.

Trust in technology products, and in the companies that develop them, will go a long way toward countries and their governments and citizens having con�dence that they, and their data, are protected. As Mark Chandler, Cisco senior vice president, general counsel, and secretary, noted in a Cisco blog post earlier this year, “A serious e�ort to address these issues can build con�dence, and most importantly, result in the promise of the next generation of the Internet being met, a world in which the connection of people and devices drives greater freedom, prosperity, and opportunity for all the world’s citizens.”12

The Conundrum of Data Sovereignty, Data Localization, and Encryption

Access

Data Sovereignty

Data Localization

Data Encryption

Figure 37. The Conundrum of Balancing Data Sovereignty, Localization, and Encryption


A person’s or organization’s attitudes about data privacy can vary greatly depending on where in the world they live and work. These varied viewpoints a�ect how governments regulate data privacy, and how enterprises do business when these regulations are at odds with each other. The Data Protection Heat Index Survey Report, sponsored by Cisco and prepared by the Cloud Security Alliance, details some of the challenges faced by enterprises working with data outside of their own countries, or data that belongs to individuals outside of the country in which the business operates.

The conversation around data privacy compatibility—that is, creating consistent global approaches to data privacy—has become more urgent due to the growth of cloud services. For example, if a company based in the United States purchases cloud storage from a company in India, and used that cloud to store data for customers residing in Germany, which region or country’s privacy laws apply?

Other drivers of data privacy compatibility are the Internet of Things (IoT) and big data. As enterprises consider new ways to connect devices to each other, and use massive datasets to make business decisions, they need structure and rules for how this data may be handled on a global scale.

Various e�orts are under way aimed at harmonizing data privacy requirements across a region or group of countries. For example, European Union legislation is currently being shaped that will update the existing data protection framework—the General Data Protection Regulation, calling for a harmonization of data protection regulations. E�orts to achieve consensus around data privacy and data sovereignty laws are intensifying. Greater harmonization would be welcome, but it is also important that the �nal text is outcome-oriented, interoperates with other regions, and is appropriate for the new technology realities. The Asia-Paci�c region has developed the Cross-Border Privacy Enforcement Arrangement from the Asia-Paci�c Economic Cooperation (APEC), which facilitates data sharing in local economies. More work must be done by governments to meet the larger goal of creating compatible regimes for data privacy and security anchored in globally recognized standards that promote an open Internet with free �ows of data across both national and regional borders.

As countries and regions clarify their data privacy approaches, enterprises will be better able to apply consistent privacy practices globally, and implement more e�ective “privacy by design” frameworks, in which privacy capabilities are built into products and services right from the start. Clear and consistent privacy regulatory frameworks would help companies meet and exceed privacy requirements, no matter where their o�erings are being deployed, thereby encouraging innovative product development and use of data.

Data Privacy Compatibility

Big Data

Internet of Things

Cloud Sharing ConsumerExpectations

RegulationExpectations

Figure 38. Meeting Diverse Regulatory and Consumer Expectations

https://cloudsecurityalliance.org/download/data-protection-heat-index-survey-report/

https://cloudsecurityalliance.org/download/data-protection-heat-index-survey-report/


Data Privacy: A Shared UnderstandingThe data protection survey asked global privacy experts in North America, the European Union, and the Asia-Paci�c region about regulation of data in their region, governmental practices, user content, and security standards. Responses showed a high level of consistency in respondents’ understanding of the meaning of data privacy, and in the value of global privacy standards.

► Data residency and sovereignty: Respondents identi�ed personal data and personally identi�able information (PII) as the data that is required to remain resident in most countries.

► Lawful interception: Respondents showed a universal interpretation of when and how data may be intercepted—for example, when it’s needed for a criminal investigation.

► User consent: Seventy-three percent of respondents agreed that there should be a consumer privacy bill of rights that is global in nature as opposed to regional. Sixty-�ve percent said that the United Nations should play an active role in the creation of such a bill.

► Privacy principles: Respondents were asked if privacy principles from the Organisation for Economic Cooperation and Development would facilitate data harmonization, or would instead create greater tension. The data privacy experts surveyed were largely in favor of the adoption of these principles.

In sum, the data privacy survey seems to show that many experts agree on basic privacy principles that, if adopted and standardized globally, can be an enabler of business, not an obstacle. The results also indicate that data privacy experts share an interest in “baking in” privacy principles for new technology solutions, instead of trying to retro�t these solutions to accommodate privacy requirements. However, current privacy regulatory frameworks are relatively nascent and evolving rapidly.

Should a greater level of harmonization advance, companies and individuals will bene�t. But to the extent that industry continues to see discordant privacy frameworks globally, companies will need to think through privacy and data protection issues carefully, and proactively adapt their o�erings and processes to meet diverse customer and regulatory expectations.

To learn more about data protection issues, see the Cisco Security blog post, “Data Protection in the Balance—EU Citizen Protection and Innovation.”

http://blogs.cisco.com/gov/data-protection-in-the-balance-eu-citizen-protection-and-innovation



42Cisco 2015 Annual Security Report | 4. Changing the View Toward Cybersecurity

CISOs and other security professionals are faced with complex challenges regarding access to network information and services. Thanks to the trends toward mobility and bring-your-own-device (BYOD) policies, they must ensure that employees can gain access to enterprise resources, no matter where they happen to be, and no matter how they join the network.

Security professionals also need to protect the network from unapproved users or criminal attacks, and they must do so in a way that doesn’t impede access by legitimate users. For example, virtual private networks (VPNs) used to be the standard solution for providing network access control. However, some VPNs call for complicated login procedures by users as well as special software, limiting when and how people join the network. In addition, many VPNs don’t help IT departments identify who is gaining access and from where, nor can VPNs identify the devices in use. VPNs are evolving to provide more visibility, while producing a more transparent user experience in order to provide better endpoint security.

Network access controls (NACs) are evolving away from basic security protection to more sophisticated endpoint visibility, access, and security (EVAS) controls. Unlike older NAC technologies, EVAS use more granular information to enforce

access policies, such as data about user role, location, business process considerations, and risk management. EVAS controls also help grant access beyond computers, allowing network administrators to provide access through mobile and IoT devices.

EVAS help enable a network-as-a-sensor approach to security enforcement, granting or halting access throughout the extended network, whether from a remote device (VPN), prior to connecting to network services, or even within the network itself across sensitive resource pools. EVAS can also help organizations reduce the endpoint and network attack surface, limit the scale and scope of an attack, remediate problem resolution processes, and even harden the network after an attack has occurred.

For more information about EVAS solutions and how they can help organizations improve security, see the Cisco Security blog post, “New White Paper from Enterprise Strategy Group on the Evolution of and Need for Secure Network Access.”

Secure Access: Understanding Who Is on Your Network, When, and How

4. Changing the View Toward Cybersecurity—From Users to the Corporate BoardroomCisco security experts suggest that it is time for enterprises to start looking di�erently at how they approach cybersecurity so they can truly make their organizations more secure. Strategies include considering new approaches to help align people, processes, and technology, making security a topic at the corporate boardroom level, and adopting more sophisticated security controls that can reduce the endpoint and attack surface—and harden the network after an attack.

http://blogs.cisco.com/security/new-white-paper-from-enterprise-strategy-group-on-the-evolution-of-and-need-for-secure-network-access




Before an attack, EVAS can: ► Identify risky assets. Monitor all assets connected to the network at any time, identifying non-compliant users, devices, and applications, and correlate this information with third-party vulnerability assessment tools.

► Improve risk mitigation. Gather actionable intelligence that can be shared with other security and network applications to improve work�ows, streamline operations, and prioritize remediation activity.

► Enforce granular network access policies. Provide contextual information for granular policy enforcement, and limit access to sensitive content, assets, or network segments.

During an attack, EVAS can: ► Integrate with advanced network-based threat defense systems. Share knowledge when malicious activity is detected for the purpose of correlating attack data endpoint connections, con�gurations, and behavior patterns over time.

► Block “kill chain” tactics from compromised systems. Limit lateral attack movement by stopping compromised systems from reaching out to policy-controlled, non-authorized network assets to steal credentials, escalate privileges, and ex�ltrate valuable data.

► Limit the scope of an attack. Restrict and thereby quarantine systems that exhibit anomalous behavior.

After an attack is detected, EVAS can: ► Assess endpoint pro�les for vulnerabilities. Share information from the EVAS database with vulnerability analysis tools, which can help IT operations prioritize a �x.

► Remediate compromised systems. When integrated with security information and event management (SIEM) systems, and endpoint security systems, EVAS can automate �xes and monitor progress.

► Fine-tune access policies and security controls. Work with networking and security equipment to segment application tra�c or add new �rewall rules or IPS signatures.

Unlike overly complex network access controls of the past, EVAS solutions are business enablers. As organizations embrace BYOD policies, cloud computing, and mobility initiatives, gaining visibility, improving context into connected users and devices, and e�ectively enforcing security policies become more imperative. Cisco security experts predict that CISOs will increasingly turn to EVAS solutions to manage the complex web of connections among users, devices, networks, and cloud services.

NAC Evolutionto EVAS

Consistent Secure Access Policy Enforced Across the Extended Network

Security and NetworkContext Data Sharing

Network Telemetry

Where

When

How

Device Pro�leFeed Service

What

Who

VPN Client Mobile RouterSwitch VPN and Firewall DC Switch Wireless Controller

?

Figure 39. The Evolution of Network Access Controls (NACs) to Endpoint Visibility, Access, and Security (EVAS) Controls

Share the report


https://twitter.com/intent/tweet?url=http://cs.co/9007x5XN&text=Get+the+Cisco+2015+Annual+Security+Report&hashtags=


mailto:?Subject=Get%20the%20Cisco%202015%20Annual%20Security%20Report&Body=Learn%20More%20about%20the%20New%20Threat%20Intelligence%20and%20Trend%20Analysis%0A%0Ahttp://cs.co/9004x5ZA


According to the Cisco Security Capabilities Benchmark Study, 91 percent of organizations have an executive with direct responsibility for security. But for modern businesses, security leadership needs to ascend even higher in the organization: to the boardroom.

Recent, massive data breaches involving well-known companies, more legislation and regulation related to data security, geopolitical dynamics, and shareholder expectations are all factors making cybersecurity an agenda item in the boardroom. A report by the Information Systems Audit and Control Association (ISACA) revealed that 55 percent of corporate directors now have to personally understand and manage cybersecurity as a risk area.13

This is a positive development, but one that Cisco security leaders believe is long overdue. In the modern economy, every company runs on IT. That makes security the business of every person in the organization, from the chief executive to the newest hire, and not just personnel with “security” in their title or job description. Everyone should be accountable, and learn how not to be a victim.

Cisco security leaders assert that a core component of the future of cybersecurity will be greater engagement by the board. Corporate boards of directors across industries need to know what the cybersecurity risks to the business are and their potential impact. To truly understand the scope of cybersecurity issues that a�ect the organization, some boards may need to add members with technology and cybersecurity expertise.

Boards also need to start asking tough questions about security controls: What controls do we have in place? How well have they been tested? Do we have a reporting process? How quickly can we detect and remediate the

inevitable compromise? And perhaps, the most important question: What else should we know? CIOs need to be prepared to answer those questions from the board, in terms that are meaningful to board members, and also outline business implications.

In a recent interview with FORTUNE magazine,14 Cisco Chief Security and Trust O�cer John Stewart said that the board asking these types of questions will help spark “an interesting set of downstream e�ects” that ultimately will lead to the security industry maturing. From there, he said, the next vital step—the hope—will be that manufacturers �nally recognize that they must build security into their products.

Stewart predicts that as the Internet of Things (IoT) evolves, and there are more “people-less devices on the Internet than people-with devices” there will be inevitable “accidents” of potentially great magnitude. Designing security into products will help to avoid many of these issues, or at least, lessen their impact.

Therefore, the boards of technology manufacturers should ask their security leaders: Are we building security into our products? And if not, how soon can we start?

The Future of Cybersecurity Hinges on Boardroom Engagement Today

View the video blog by Cisco Chief Security and Trust O�cer John Stewart on the importance of cybersecurity transparency and accountability to the board: http://blogs.cisco.com/security/ensuring-security-and-trust-stewardship-and-accountability.

http://blogs.cisco.com/security/ensuring-security-and-trust-stewardship-and-accountability




Today’s CISOs need to answer hard questions: How do I make my security team the �rst point of contact for the business when potential security issues arise? How can I ensure my team has the tools and visibility to determine what security issues are most relevant, and require action? And how do I keep users—the key to business success—safe, and not just when they are working on-site?

Cisco security experts suggest that CISOs can address these questions by implementing and following a set of security principles known as the Cisco Security Manifesto.

This inaugural security manifesto can help security teams, and the users in their organizations, to better understand and respond to the cybersecurity challenges of today’s world. These principles can serve as a baseline for organizations as they strive to become more dynamic in their approach to security, and more adaptive and innovative than adversaries:

1. Security must be considered a growth engine for the business. Security should never be a roadblock or hassle that undermines user productivity and stands in the way of business innovation. Yet security teams impose technological solutions that do exactly that. A primary reason: They are not invited in time, or at all, to discussions about business projects that require the deployment of new technology. However, security professionals are also guilty of waiting for an invitation they may never receive. They instead must take proactive steps to ensure they are involved in technology conversations, and understand how security processes can enable the organization’s agility and success, while also protecting its data, assets, and image.

2. Security must work with existing architecture, and be usable. Security teams should not have to build an architecture to accommodate new technology solutions that are meant to improve security. Architectures, by nature, are constraining. Organizations should not have to change the way they do business to accommodate new security technologies, or be prevented from making changes in how they operate because of the technologies they already have in place. The end result of “architecture overload” is that users will circumvent security architecture, leaving the organization less secure. In addition, if a security technology is too di�cult for users to understand, and must be maintained by hard-to-�nd, specialized security talent, it is not useful to the organization.

3. Security must be transparent and informative. Users should be presented with information that helps them understand why security is stopping them from taking a particular action. They also need to know how they can do what they want to do safely, instead of bypassing security in the name of doing their jobs. As an example, when a user attempts to access a web page and is met with the message, “Access to this site has been denied by your administrator,” there is no context as to why they can’t access the page. But if the message said, “Access to this site has been denied because it has served malware in the last 48 hours,” the user would be better informed and understand the potential risk not only to the organization, but to them, as an individual user. Security technologies also should help users to achieve their goals safely through clear recommendations or by directing them to appropriate resources for timely assistance.

4. Security must enable visibility and appropriate action. Security solutions with open security architecture enable security teams to determine whether those solutions are truly e�ective. Security professionals also need tools for automating visibility into the network so they not only can see tra�c, but also the assets that make up the network. By understanding how security technologies operate, and what is normal (and not normal) in the IT environment, security teams can reduce their administrative workload while becoming more dynamic and accurate in identifying and responding to threats and adapting defenses. In taking this approach, security teams can take full advantage of more relevant and targeted controls to aid in resolution.

5. Security must be viewed as a “people problem.” A technology-centric approach to security does not improve security; in fact, it exacerbates it. Technologies are merely tools that can enhance the ability of people to secure their environment. Security teams need to educate users about safe habits that they should apply no matter where they are using technology—at the o�ce, at home, on the road—so they can make good decisions and feel empowered to seek timely assistance when they think something is wrong. Improved dialogue between security professionals and users will also help users see that technology alone cannot assure security. People, processes, and technology, together, must form the defense against today’s threats. Commitment and vigilance by all users in the organization, from the top down, empower security success.

Cisco Security Manifesto: Basic Principles for Achieving Real-World Security


The Cisco Security Manifesto is a call for a change. In the real world, security technology, policies, and best practices should raise the average level of security for everyone in the organization, and help the business make more informed risk decisions—down to each individual user. And with strong principles to guide them, users can gain a clear understanding of why they are prevented from taking certain actions, and what the impact likely would be if they decide to bypass security.

The Cisco Security Manifesto, or one that echoes its core principles, can help both users and security practitioners to see the “big picture” on security: While many threats can be avoided, compromise is inevitable—but remediation can be swift. The goal is to reduce the time to resolution when a compromise is eventually successful, and not focus solely on trying to prevent these events.

About CiscoCisco delivers intelligent cybersecurity for the real world, providing one of the industry’s most comprehensive advanced threat protection portfolios of solutions across the broadest set of attack vectors. Cisco’s threat-centric and operationalized approach to security reduces complexity and fragmentation while providing superior visibility, consistent control, and advanced threat protection before, during, and after an attack.

Threat researchers from the Collective Security Intelligence (CSI) ecosystem bring together, under a single umbrella, the industry’s leading threat intelligence, using telemetry obtained from the vast footprint of devices and sensors, public and private feeds, and the open source community at Cisco. This amounts to a daily ingest of billions of web requests and millions of emails, malware samples, and network intrusions.

Our sophisticated infrastructure and systems consume this telemetry, enabling machine-learning systems and researchers to track threats across networks, data centers, endpoints, mobile devices, virtual systems, web, email, and from the cloud to identify root causes and scope outbreaks. The resulting intelligence is translated into real-time protections for our products and services o�erings that are immediately delivered globally to Cisco customers.

The CSI ecosystem is comprised of multiple groups with distinct charters: Talos, Security & Trust Organization, Managed Threat Defense (MTD), and Security Research and Operations (SR&O).

To learn more about Cisco’s threat-centric approach to security, visit www.cisco.com/go/security.

http://www.cisco.com/go/security

47Cisco 2015 Annual Security Report | Appendix

AppendixAdditional Security Capabilities Benchmark Study FindingsOnly a minority of organizations keep IT and Security budgets completely separate.

Is the security budget part of the IT budget? IT Department members; n=1720

Completely Separate Partially Within IT All Within IT

6% 33% 61%

Resources

Highest ranking executive accountable for security is most often a CISO or CSO.

Is there an executive at your organization who hasdirect responsibility and accountability for security?Respondents who report clari�ed roles and responsibilities; n=1603

Executive’s TitleRespondents who report executive with security responsibility; n=1465

YES 91%

NO 9%

CISO CSO CIO CEO CTO S.VP IT COO Other

29% 24%16% 10% 9% 7% 4%

1%

Healthcare is less likely than other industries to identify an executive accountable for security.

Security Policies, Procedures, and Operations

Share the report






Nearly two-thirds say that executive leadership considers security a high priority.

More respondents who report they have not had to manage public scrutiny of a security breach in the organizationstrongly agree with “executive leadership at my organization considers security a high priority.”

Executive leadership at my organization considers security a high priority

SecOps CISO


8% 34% 58% 3% 30% 67%

Security roles and responsibilities are clari�ed within myorganization's executive team 9% 39% 52% 2% 32% 64%

My organization's executive team has established clear metrics forassessing e�ectiveness of our security program

11% 44% 45% 4% 37% 59%

n=797n=1738 n=941Executive Engagement

High proportions report security processes that encourage employee participation.

Security professionals from midmarket organizations tend to express higher levels of agreement with securityprocess items than do enterprise professionals.

SecOps CISO


Line-of-business managers are encouraged to contributeto security policies and procedures

12% 39% 49% 6% 40% 54%

My organization is able to detect security weaknesses beforethey become full-blown incidents

13% 43% 44% 4% 39% 57%

Employees at my organization are encouraged to report failuresand problems with security 11% 34% 55% 4% 36% 60%

Security processes and procedures at my organization are clearand well understood 13% 39% 48% 4% 37% 59%Security processes at my organization enable us to anticipate andmitigate potential security issues proactively 14% 40% 46% 3% 40% 47%

Security processes at my organization are measured andcontrolled using quantitative data 13% 40% 47% 4% 35% 61%

My organization has optimized its security processes and is nowfocused on process improvement

12% 42% 46% 4% 36% 60%

n=797n=1738 n=941Security Processes

Nearly two-thirds say that executive leadership considers security a high priority.

High proportions report security processes that encourage employee participation.


Nine in 10 respondents say regular security training is provided to security employees—typically delivered by the security team.

Are security awareness and/or training programsdelivered to security sta on a regular basis?Respondents dedicated to security; n=1726

Who delivers security training?Respondents whose security teams receive training; n=1556

YES 90%

NO 10%1%

17%

82%

How often is security training delivered?Respondents dedicated to security; n= 1556

Internal security team 79%

15%

Third-party contractors 38% Human resources 25% Other employees 10% Other 1%

>1x Per Year

<1x Per Year / > 1x Per 2 Years

<1x Per 2 Years

FinancialServices

Fifteen percent of �nancial services professionals say security training is not oered regularly.

Sta� commonly attend conferences or training; about two-thirds say they’re involved in security industry associations.

Do security sta� members attendconferences and/or external trainingto improve and maintain their skills? Respondents dedicated to security; n=1715

YES 89%

NO 11% Do employees serve on security industryboards or committees? Respondents dedicated to security; n=1690

YES 64%

NO 36%

Nine in 10 respondents say regular security training is provided to security employees—typically delivered by the security team.

Sta� commonly attend conferences or training; about two-thirds say they’re involved in security industry associations.


Over half of respondents say their organization has had to manage public scrutiny of a security breach.

Has your organization ever had to manage publicscrutiny of a security breach?Respondents dedicated to security; n=1701

YES 54%

NO 46%

On-premise hosting of the organization’s networks is most common; fewer than one in 10 report they are hosted in a public cloud.

Signi�cantly more SecOps respondents say o�-premise hosting (both private and public cloud) isused in their organization, compared to CISOs.

Where AreNetworks Hosted?

On-PremisePrivate Cloud

50%On-PremiseThird-Party

23%

O-PremisePrivate Cloud

18%O-PremisePublic Cloud

8%

On-Premise54%

Where Are Networks Hosted?

n=1727


Sophistication

Segments vary predictably on many measures of security sophistication …

But not on all …

Company executives consider security a high priority

The company has clear, well-understood security processes/procedures

... that are measured and controlled using quantitative data

The company does an excellent job managing HR security throughonboarding and good processes for transfers and departures

Computer facilities within my organization are well protected

Security technologies are well integrated to work e�ectively together

38%22% 45% 71% 81%

… and have clear metrics for assessing security program e�ectiveness 19%17% 32% 52% 79%

22%0% 15% 72% 88%

17%0% 33% 65% 76%

… and regularly reviews security practices and tools to ensure they’reup to date and e�ective

17%0% 33% 65% 76%

... the company is able to detect security weaknesses before theybecome full-blown incidents

23%0% 25% 63% 70%

Information assets are inventoried and clearly classi�ed 26%17% 40% 58% 73%

27%16% 36% 52% 76%

21%17% 41% 63% 80%

21%17% 38% 59% 78%

HighUpper-MidMiddleLow-MidLow

There is an executive with direct responsibility andaccountability for security

The company has a written, formal organization-wide securitystrategy that’s reviewed regularly

The company follows a standardized information securitypolicy practice such as ISO 27001

91%85% 88% 93% 93%

47%59% 58% 65% 60%

44%47% 50% 59% 54%

HighUpper-MidMiddleLow-MidLow


Endnotes

1. Cisco 2014 Midyear Security Report: http://www.cisco.com/web/o�ers/lp/midyear-security-report/index.html?keycode=000489027.

2. For more on CMS vulnerabilities, see “Wordpress Vulnerabilities: Who Is Minding the Store?”, Cisco 2014 Midyear Security Report: http://www.cisco.com/web/o�ers/lp/midyear-security-report/index.html?keycode=000489027 .

3. “Goon/In�nity/RIG Exploit Kit Activity,” Cisco IntelliShield: Security Activity Bulletin, July 2014: http://tools.cisco.com/security/center/mviewAlert.x?alertId=34999.

4. Cisco 2014 Midyear Security Report: http://www.cisco.com/web/o�ers/lp/midyear-security-report/index.html?keycode=000489027.

5. “Cisco Event Response: POODLE Vulnerability,” October 15, 2014: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_Poodle_10152014.html.

6. “OpenSSL Heartbleed vulnerability CVE-2014-0160 – Cisco products and mitigations,” Cisco Security Blog, April 9, 2014: http://blogs.cisco.com/security/openssl-heartbleed-vulnerability-cve-2014-0160-cisco-products-and-mitigations

7. “JP Morgan and Other Banks Struck by Hackers,” by Nicole Perlroth, The New York Times, August 27, 2014: http://www.nytimes.com/2014/08/28/technology/hackers-target-banks-including-jpmorgan.html?_r=0; “‘Trojan Horse’ Bug Lurking in Vital U.S. Computers Since 2011,” by Jack Cloherty and Pierre Thomas, ABC News, November 6, 2014: http://abcnews.go.com/US/trojan-horse-bug-lurking-vital-us-computers-2011/story?id=26737476.

8. “4 Things We Learned from China’s 4th Plenum,” by Shannon Tiezzi, The Diplomat, October 23, 2014: http://thediplomat.com/2014/10/4-things-we-learned-from-chinas-4th-plenum/.

9. “Brazil’s New Internet Law Could Broadly Impact Online Privacy and Data Handling Practices,” Chronicle of Data Protection, May 16, 2014: http://www.hldataprotection.com/2014/05/articles/international-eu-privacy/marco-civil-da-internet-brazils-new-internet-law-could-broadly-impact-online-companies-privacy-and-data-handling-practices/.

10. “Russian data localization law may now come into force one year ahead of schedule, in September 2015,” by Hogan Lovells, Natalia Gulyaeva, Maria Sedykh, and Bret S. Cohen, Lexology.com, December 18, 2014: http://www.lexology.com/library/detail.aspx?g=849ca1a9-2aa2-42a7-902f-32e140af9d1e.

11. “GCHQ Chief Accuses U.S. Tech Giants of Becoming Terrorists’ ‘Networks of Choice,’” by Ben Quinn, James Ball, and Dominic Rushe, The Guardian, November 3, 2014: http://www.theguardian.com/uk-news/2014/nov/03/privacy-gchq-spying-robert-hannigan.

12. “Internet Security Necessary for Global Technology Economy,” by Mark Chandler, Cisco Blog, May 13, 2014: http://blogs.cisco.com/news/internet-security-necessary-for-global-technology-economy.

13. “Cybersecurity: What the Board of Directors Needs to Ask,” ISACA and The Institute of Internal Auditors Research Foundation, August 2014: http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Cybersecurity-What-the-Board-of-Directors-Needs-to-Ask.aspx.

14. “It’s Time for Corporate Boards to Tackle Cybersecurity. Here’s Why,” by Andrew Nusca, FORTUNE magazine, April 25, 2014: http://fortune.com/2014/04/25/its-time-for-corporate-boards-to-tackle-cybersecurity-heres-why/.

http://www.cisco.com/web/offers/lp/midyear-security-report/index.html?keycode=000489027




http://tools.cisco.com/security/center/mviewAlert.x?alertId=34999

http://tools.cisco.com/security/center/mviewAlert.x?alertId=34999



http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_Poodle_10152014.html

http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_Poodle_10152014.html

http://blogs.cisco.com/security/openssl-heartbleed-vulnerability-cve-2014-0160-cisco-products-and-mitigations



http://www.nytimes.com/2014/08/28/technology/hackers-target-banks-including-jpmorgan.html?_r=0



http://abcnews.go.com/US/trojan-horse-bug-lurking-vital-us-computers-2011/story?id=26737476

http://abcnews.go.com/US/trojan-horse-bug-lurking-vital-us-computers-2011/story?id=26737476

http://thediplomat.com/2014/10/4-things-we-learned-from-chinas-4th-plenum/

http://thediplomat.com/2014/10/4-things-we-learned-from-chinas-4th-plenum/

http://www.hldataprotection.com/2014/05/articles/international-eu-privacy/marco-civil-da-internet-brazils-new-internet-law-could-broadly-impact-online-companies-privacy-and-data-handling-practices/




http://www.lexology.com/library/detail.aspx?g=849ca1a9-2aa2-42a7-902f-32e140af9d1e

http://www.lexology.com/library/detail.aspx?g=849ca1a9-2aa2-42a7-902f-32e140af9d1e

http://www.theguardian.com/uk-news/2014/nov/03/privacy-gchq-spying-robert-hannigan

http://www.theguardian.com/uk-news/2014/nov/03/privacy-gchq-spying-robert-hannigan

http://blogs.cisco.com/news/internet-security-necessary-for-global-technology-economy

http://blogs.cisco.com/news/internet-security-necessary-for-global-technology-economy

http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Cybersecurity-What-the-Board-of-Directors-Needs-to-Ask.aspx



http://fortune.com/2014/04/25/its-time-for-corporate-boards-to-tackle-cybersecurity-heres-why/

http://fortune.com/2014/04/25/its-time-for-corporate-boards-to-tackle-cybersecurity-heres-why/

Americas Headquarters Cisco Systems Inc. San Jose, CA

Asia Paci�c HeadquartersCisco Systems (USA) Pte. Ltd. Singapore

Europe Headquarters Cisco Systems International BV Amsterdam, The Netherlands

Cisco has more than 200 o�ces worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/o�ces.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its a�liates in the U.S. and other countries. To view a list of Cisco trademarks, go to www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners, The use of the word partner does not imply a partnership between Cisco and any other company. (1110R)

Cisco 2015 Annual Security Report

http://www.cisco.com/go/offices

http://www.cisco.com/go/trademarks

cisco 2015 annual security report | section name...cisco 2015 annual security report | executive...

Documents